Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

select subset of hosts

BertKraan
Engager
‎09-13-2013 04:46 AM

Hello, splunk newbie here,

I have tens of servers named like abc01, abc02 .... abc20. Now i would like to search for events on a subset of these machines like for example only the abc18 and abc19. I'm trying searches like

index="prd_access" sourcetype="access:web:foo" earliest=-7d latest=now | regex "abc(18|19)"

This seems to work but how can i select data from everything except these "abc(18|19)" ?

host!="abc(18|19)"

doesn't seem to work..

Thanks in advance,

Bert

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎09-13-2013 04:57 AM

you can try using following query

index="prd_access" sourcetype="access:web:foo" earliest=-7d latest=now | search NOT ("abc18" OR "abc19")

Reply

zeroactive
Path Finder
‎09-13-2013 07:02 AM

I would use the following:

index="prd_access" sourcetype="access:web:foo" earliest=-7d latest=now NOT host=abc18 NOT host=abc19

There's not a need to run a second search via the | operator, just go ahead and filter out those hosts in the first search command.

Reply

BertKraan
Engager
‎09-13-2013 05:33 AM

Will give it a try, thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...