select subset of hosts

BertKraan · ‎09-13-2013

Hello, splunk newbie here,

I have tens of servers named like abc01, abc02 .... abc20. Now i would like to search for events on a subset of these machines like for example only the abc18 and abc19. I'm trying searches like

index="prd_access" sourcetype="access:web:foo" earliest=-7d latest=now | regex "abc(18|19)"

This seems to work but how can i select data from everything except these "abc(18|19)" ?

host!="abc(18|19)"

doesn't seem to work..

Thanks in advance,

Bert

somesoni2 · ‎09-13-2013

you can try using following query

index="prd_access" sourcetype="access:web:foo" earliest=-7d latest=now | search NOT ("abc18" OR "abc19")

zeroactive · ‎09-13-2013

I would use the following:

index="prd_access" sourcetype="access:web:foo" earliest=-7d latest=now NOT host=abc18 NOT host=abc19

There's not a need to run a second search via the | operator, just go ahead and filter out those hosts in the first search command.

BertKraan · ‎09-13-2013

Will give it a try, thanks!

select subset of hosts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

select subset of hosts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future