i am seeking a way to define a variable where i can define a static list of hosts to (re-)use in adhoc searches
Example instead of doing this everytime
index=os host=hosta OR host=hostb OR host=hostc ....host=hostnn
Instead do something like this
index=os host=$MY_HOSTLIST_VAR
I've been trying to do something with Lookup csv file which I uploaded, but can't seem to get that syntax correct.
You can create an eventtype with all the hosts you want in the queries and use the eventtype in your query.
Example:
Create a eventtype=host_list
host=hosta OR host=hostb OR host=hostc
Then use in your query
index=os eventtype=host_list
Thanks worked!
You can create an eventtype with all the hosts you want in the queries and use the eventtype in your query.
Example:
Create a eventtype=host_list
host=hosta OR host=hostb OR host=hostc
Then use in your query
index=os eventtype=host_list