Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can search deal with bracket expansions?

mjones414
Contributor
‎12-09-2015 07:44 AM

I'm using splunk in HPC use cases that can span hundreds or even thousands of machines contiguously or potentially in segmented ranges. Although we have a convention, I find it hard at times to scope searches over a complete desired range of a given condition.

I would like to be able to do something like:

host=host[0001-0877,0899,1300-2350] but that doesn't seem to work. Is there another way to kind of dynamically scope ranges like this? I say dynamic because it isn't, and almost never will, be the exact same range per circumstance.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎12-09-2015 09:36 AM

Define a macro like this:

[filter_range(4)]
args = field,prefix,from,to
definition = [localop | stats count | eval count = mvrange($from$,$to$) | mvexpand count | eval $field$ = "$prefix$".count | fields $field$]
errormsg = oops!
iseval = 0
validation = isnum(from) AND isnum(to)

Then search like this:

`filter_range(host,foo,100,200)` OR `filter_range(host,foo,900,950)`

Each call to the macro will generate a list of host=foo100 to host=foo200 (exclusive) OR'd together, by default limited to 10000 rows per subsearch. If you need zero-prefixes you will need to do a bit of formatting in the eval, and maybe add a fifth argument to tell how wide your number should be... or just add the 0 to the prefix.

0 Karma
Reply

Runals
Motivator
‎12-09-2015 08:18 AM

This isn't a great answer but you could do something like this in the immediate term

host=host* sourcetype=foo | rex field=host "\w+(?<host_num>\d+)" | search host_num > 877 ....

You could also bake the field extraction into your configs like this so the field is there for searching prior to the first pipe. One of the issues with the above is that it will return all of the events and then strip out those you don't want which isn't efficient.

Props

[foo]
EXTRACT-foo_host_num = \w+(?<host_num>\d+) in host

Beyond that I'm curious if anyone else has a different solution to this as I'd be interested as well!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...