- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can I create a search parameter that maps to multi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For context, I'm creating a dashboard where a user can search activity of all hosts in an environment or one host in that same environment. Unfortunately, the naming convention used for hostnames makes searching all hosts in a specific environment a bit more complicated than using a single field/value pair with a wildcard. For example, searching all non-production hosts would require a search similar to the following in my case:
index=servers host!="*prd*" AND (host="*30*" OR host="*40*")
In the dashboard, I'd like the user to be able to select a single hostname from a dropdown, or an "All Servers" option from the dropdown.
With that being said, is there a way I can map all the hostnames to a single "field value" such that something like...
index=servers host=allhosts
...would accomplish the same thing as my initial search example?
This would be helpful as it would allow me to use a token for the host field when a user selects an option from the hosts dropdown.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @griffins ,
Could use an eventype for this: https://docs.splunk.com/Documentation/Splunk/8.2.6/Knowledge/Abouteventtypes
Thanks,
Jamie
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @griffins ,
Could use an eventype for this: https://docs.splunk.com/Documentation/Splunk/8.2.6/Knowledge/Abouteventtypes
Thanks,
Jamie
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this would work; however, after reading through some of the eventtype documentation, search macros were suggested if I was looking to shorten a search. So I was able to create what I needed using search macros, but I believe your suggestion would also work 🙂
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you use*
Index This | I’m short for "configuration file.” What am I?
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Your Guide to SPL2 at .conf24!
