We're using Spunk in a Windows domain that has hundreds of computers. There is a fixed subset of computers that I want to keep an eye on using events available from Splunk indexes. These indexes contain data from all computers in the domain. I want to write queries that return events only from my subset, but I don't want to have to filter on my subset for each query I write, e.g., I don't want to have to do this:
index=foo host="bar1" OR host="bar2" OR host="bar3" OR host="bar4" OR host="bar5" OR host="bar6" OR host="bar7" OR host="bar8" .....
Is there a way to make a list of the names of the fixed subset of computers that I can reference when doing any search, e.g.,
index=foo host="myComputerList" .....
I guess there are two main options:
1: Store the host="bar1" OR host="bar2" OR host="bar3" OR host="bar4" OR host="bar5" OR host="bar6" OR host="bar7" OR host="bar8" .....
into a search macro. So you can then write your search as:
index= foo `host_filter_macro`
More info on search macros: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Definesearchmacros
2: Store the list of hosts into a lookup, and write your search with a subsearch like this:
index=foo [| inputlookup hostlist]
More info on subsearches: https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches
I guess there are two main options:
1: Store the host="bar1" OR host="bar2" OR host="bar3" OR host="bar4" OR host="bar5" OR host="bar6" OR host="bar7" OR host="bar8" .....
into a search macro. So you can then write your search as:
index= foo `host_filter_macro`
More info on search macros: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Definesearchmacros
2: Store the list of hosts into a lookup, and write your search with a subsearch like this:
index=foo [| inputlookup hostlist]
More info on subsearches: https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Abouteventtypes
[special_hosts]
search = ( index=foo host="bar1" OR host="bar2" OR host="bar3" OR host="bar4" OR host="bar5" OR host="bar6" OR host="bar7" OR host="bar8" )
then just search
eventtype=special_hosts