Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

saved search multiple values

klaudiac
Path Finder
‎09-01-2020 08:37 AM

Hi guys, 

I'm trying to create a saved search (instead of  typing the same search command few times a day) , but there's a small "catch" in my search - I want to put multiple choice as one of the variables. 

e.g. Long search: 

index=console1(sourcetype=c1:agent OR sourcetype="c1:agent_registered") computerName="computer1 OR computer2 OR computer25 
| stats count by host

 

I created a basic saved seach: index=console1(sourcetype=c1:agent OR sourcetype="c1:agent_registered") $computerName$
| stats count by host 

So my computerName can be different every time i need to check a new machine., but I can only one at a time... Is there a way to add that option to my saved search?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-01-2020 08:56 AM

Have you considered putting the search into a dashboard?  Then you can have an input selector where you can choose the computers to include in the search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Nisha18789
Builder
‎09-01-2020 08:45 AM

Hello @klaudiac , do you have the host list with you? Also, is it like a partcular time only a particular host needs to be searched? If so, does this change with time - ie, at 6 PM today Host XXX needs to be checked while at 6PM tomorrow Host YYY needs to be checked?

If its just simple search from a list of host which you have to begin with you can use :

 

index=console1(sourcetype=c1:agent OR sourcetype="c1:agent_registered") host IN (hostname1,hostname2..)
| stats count by host 

0 Karma
Reply

klaudiac
Path Finder
‎09-01-2020 08:57 AM

Hey, 

The list of the hosts depends on a day when we do the installations, so one day it can be 1 host, and another day I can have a list of 13 to check. 

There's no set time frame so whenever I log in the morning I just set my time to last 30min or last 60min and run it then and see if they are active. 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...