I need to run a query for a number of hosts
i.e. host=app[1-22]* error
using OR between every host is really not workable.
Is this possible with the query language? It does not appear possible to use regex in the query language itself, but I am hoping I am wrong.
Thanks!
No, regex is not possible at that point of the search. Try this:
host=app* error | rex field=host "app(?<host_number>\d+" | search host_number<23
You can also tag hosts (http://docs.splunk.com/Documentation/Splunk/6.1.2/admin/tagsconf).
[host=app1]
findme = enabled
[host=app2]
findme = enabled
Then search:
host=app* tag::host=findme error
Looks like you missed the closing parenthesis:
host=app* error | rex field=host "app(?<host_number>\d+)" | search host_number<23