Splunk Search

hosts with certain criteria (simplified REGEX)

Noorzaie
Explorer

I want to pull data for certain HOSTs in my index. For example:
(host=*pr1p01 OR host=*pr1p03 OR host=*pr1p05 .. ) - servers with ODD or EVEN numbers.

Appreciate the help.

Tags (1)
0 Karma

woodcock
Esteemed Legend

Given this clarification:

My list of hosts is growing and there are other hosts that i don't want to include (hence the criteria), so instead of adding the additional hosts to the OR criteria, can I use regex or similar to get data with only hosts matching this criteria?

I assume your concern is housekeeping, not complexity nor filtering, per se. If so, then the solution is to create an eventtype and make sure that all of your users and searches use it like this:

eventtype=SpecialHosts ...

Then you modify this ONE definition in ONE place ( eventtypes.conf ) as often as needed and when you save it, INSTANTLY everything else is updated:

[SpecialHosts]
index=my-ndx "some criteria" (host=*pr1p01 OR host=*pr1p03 OR host=*pr1p05 OR host=*pr1p07 OR host=*pr1p09 OR host=*pr1p11)
0 Karma

woodcock
Esteemed Legend

Did this work?

0 Karma

Noorzaie
Explorer

thank you all for your inputs. I think this will work but I will ask Martin if this will filter out the hosts on the first pass.

index=foo (host=*pr1p*1 OR host=*pr1p*3 OR host=*pr1p*5 OR host=*pr1p*7 OR host=*pr1p*9) | ...

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

This will work as long as you have no host called pr1pfoo1 that's not supposed to be matched. Regex'ing for digits would filter it out, this wildcard would not.

0 Karma

woodcock
Esteemed Legend

OK, I think you are looking for this:

... regex host=".*\d+$"

But really we can't say for sure because your question and followup comments are SO contradictory and unclear. You definitely need the regex host= command but until you can be PERFECTLY CLEAR about what you are trying to match, we cannot help you. The regex in my solution matches any host that ends in a digit.

0 Karma

Noorzaie
Explorer

Let me try to to explain one more time 😉
I have this query:
index=my-ndx "some criteria" (host=*pr1p01 OR host=*pr1p03 OR host=*pr1p05 OR host=*pr1p07 OR host=*pr1p09 OR host=*pr1p11) | stats pipeline

My list of hosts is growing and there are other hosts that i don't want to include (hence the criteria), so instead of adding the additional hosts to the OR criteria, can I use regex or similar to get data with only hosts matching this criteria?

thanks,

0 Karma

bjcross
Explorer

also syntax is host_regex instead of regex host

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Inputsconf

0 Karma

woodcock
Esteemed Legend

See my latest answer regarding eventtypes (immediately forthcoming)...

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Does @woodcock's first answer, | where match(host, ".*[13579]$") not work ?

0 Karma

Noorzaie
Explorer

No, it returns hosts outside the criteria "*pr1p". I want only hosts with "*pr1p01", "*pr1p03" and so forth.

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

So you just need | where match(host, ".*pr1p[13579]$") ?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you really only have five matching hosts in each group then I'd strongly recommend tagging each host with either odd or event and searching like this:

index=yourindex tag::host=odd | ...

If this is just a simple example for a more complex or even unknown list of hosts then tagging is not going to work. For performance reasons I'd advise this slightly more complicated solution:

index=yourindex [tstats count where index=yourindex AND host=*pr1p0* by host | where match(host, "pr1p0[13579]$") | fields host] | rest of the search pipeline

That will generate a tailored search filter for Splunk to only look at matching hosts' events. With the late |where in the other suggestions Splunk has to load events from non-matching hosts, process them, and then discard them again. Sloooow.

martin_mueller
SplunkTrust
SplunkTrust

I'll send you my paypal 😛

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Your second search is, as us kids say, "money".

alt text

woodcock
Esteemed Legend

Try this:

... | where match(host, ".*[13579]$")

Or this:

... | eval evenOrOdd = if(match(host, ".*[13579]$"), "ODD", "EVEN") | where evenOrOdd="ODD"

Noorzaie
Explorer

I would like to specifically include only HOSTs with *pr1p0[02468] or *pr1p0[13579]

0 Karma

richgalloway
SplunkTrust
SplunkTrust

How is that different from 'host=*pr1p0[0-9]'? What exactly are you trying to accomplish?

---
If this reply helps you, Karma would be appreciated.
0 Karma

Noorzaie
Explorer

My objective is to query against the hosts whose names end with ODD numbers but begins with *pr1p.

Thanks.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm confused by your stated desire to include hosts that end with '[02468]', but woodcock's first suggestion should do the job.

... | where match(host, ".*pr1p0[13579]$")
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...