thank you all for your inputs. I think this will work but I will ask Martin if this will filter out the hosts on the first pass.

index=foo (host=*pr1p*1 OR host=*pr1p*3 OR host=*pr1p*5 OR host=*pr1p*7 OR host=*pr1p*9) | ...

OK, I think you are looking for this:

... regex host=".*\d+$"

But really we can't say for sure because your question and followup comments are SO contradictory and unclear. You definitely need the regex host= command but until you can be PERFECTLY CLEAR about what you are trying to match, we cannot help you. The regex in my solution matches any host that ends in a digit.

If you really only have five matching hosts in each group then I'd strongly recommend tagging each host with either odd or event and searching like this:

index=yourindex tag::host=odd | ...

If this is just a simple example for a more complex or even unknown list of hosts then tagging is not going to work. For performance reasons I'd advise this slightly more complicated solution:

index=yourindex [tstats count where index=yourindex AND host=*pr1p0* by host | where match(host, "pr1p0[13579]$") | fields host] | rest of the search pipeline

That will generate a tailored search filter for Splunk to only look at matching hosts' events. With the late |where in the other suggestions Splunk has to load events from non-matching hosts, process them, and then discard them again. Sloooow.

Try this:

... | where match(host, ".*[13579]$")

Or this:

... | eval evenOrOdd = if(match(host, ".*[13579]$"), "ODD", "EVEN") | where evenOrOdd="ODD"