Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

idab
Path Finder
‎09-04-2015 01:25 PM

Hi,

I have 25 servers with the same prefix name and suffixed with different number host _1, host_2 ., ......, host_25.

How do you write a search to spool only the servers names from host_11 up to host_23? Instead of using the exclude operator (!=) on the hosts you don't need.

index=* counter="*"  Host="host _1*"    | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-04-2015 01:34 PM

Something like this?

index=* counter="*"  (Host="host_1*" OR Host="host_2*") | rex field=Host "host_(?<suffix>\d+)" | where suffix>10 AND suffix < 24 | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

cramasta
Builder
‎09-10-2015 10:08 PM

I saw someone else do this before was a bit surprised it even worked. 

index= index=* counter="*"   (host=host_1* OR  host=host_2*)  (host >= host_1 AND host <= host_25)  | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎09-08-2015 06:02 PM

Hi @idab

Be sure to accept the answer that solved your question best, otherwise this will appear to other users as unresolved. Thanks!

Patrick

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-04-2015 02:29 PM

Assuming that your host name have same name with suffix as number (1,2,3...24,25) no left padding, try something like this

index= index=* counter="*"  [| gentimes start=-1 | eval Host=mvrange(11,24) | table Host | mvexpand Host | eval Host="YourHostSuffix_".Host ]    | eval Value = round(Value,1)| timechart  span=5m first(Value) by host

The subsearch will dynamically generate a OR condition as 

Host=YourHostSuffix_11 OR Host=YourHostSuffix_12 OR.... OR Host=YourHostSuffix_23

. The only thing you need to provide is the suffix (YourHostSuffix above) and start index (11 in mvrange command) and End range (end range+1 =24 in mvrange).

Reply
Solved! Jump to solution

idab
Path Finder
‎09-08-2015 08:45 AM

Thanks somesoni2

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-04-2015 01:34 PM

Something like this?

index=* counter="*"  (Host="host_1*" OR Host="host_2*") | rex field=Host "host_(?<suffix>\d+)" | where suffix>10 AND suffix < 24 | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

idab
Path Finder
‎09-08-2015 08:45 AM

Thanks richgallowway!

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...