Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

saved search multiple values

klaudiac
Path Finder
‎09-01-2020 08:37 AM

Hi guys, 

I'm trying to create a saved search (instead of  typing the same search command few times a day) , but there's a small "catch" in my search - I want to put multiple choice as one of the variables. 

e.g. Long search: 

index=console1(sourcetype=c1:agent OR sourcetype="c1:agent_registered") computerName="computer1 OR computer2 OR computer25 
| stats count by host

 

I created a basic saved seach: index=console1(sourcetype=c1:agent OR sourcetype="c1:agent_registered") $computerName$
| stats count by host 

So my computerName can be different every time i need to check a new machine., but I can only one at a time... Is there a way to add that option to my saved search?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-01-2020 08:56 AM

Have you considered putting the search into a dashboard?  Then you can have an input selector where you can choose the computers to include in the search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Nisha18789
Builder
‎09-01-2020 08:45 AM

Hello @klaudiac , do you have the host list with you? Also, is it like a partcular time only a particular host needs to be searched? If so, does this change with time - ie, at 6 PM today Host XXX needs to be checked while at 6PM tomorrow Host YYY needs to be checked?

If its just simple search from a list of host which you have to begin with you can use :

 

index=console1(sourcetype=c1:agent OR sourcetype="c1:agent_registered") host IN (hostname1,hostname2..)
| stats count by host 

0 Karma
Reply

klaudiac
Path Finder
‎09-01-2020 08:57 AM

Hey, 

The list of the hosts depends on a day when we do the installations, so one day it can be 1 host, and another day I can have a list of 13 to check. 

There's no set time frame so whenever I log in the morning I just set my time to last 30min or last 60min and run it then and see if they are active. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...