I'm using splunk in HPC use cases that can span hundreds or even thousands of machines contiguously or potentially in segmented ranges. Although we have a convention, I find it hard at times to scope searches over a complete desired range of a given condition.
I would like to be able to do something like:
host=host[0001-0877,0899,1300-2350] but that doesn't seem to work. Is there another way to kind of dynamically scope ranges like this? I say dynamic because it isn't, and almost never will, be the exact same range per circumstance.
Define a macro like this:
[filter_range(4)]
args = field,prefix,from,to
definition = [localop | stats count | eval count = mvrange($from$,$to$) | mvexpand count | eval $field$ = "$prefix$".count | fields $field$]
errormsg = oops!
iseval = 0
validation = isnum(from) AND isnum(to)
Then search like this:
`filter_range(host,foo,100,200)` OR `filter_range(host,foo,900,950)`
Each call to the macro will generate a list of host=foo100
to host=foo200
(exclusive) OR'd together, by default limited to 10000 rows per subsearch. If you need zero-prefixes you will need to do a bit of formatting in the eval
, and maybe add a fifth argument to tell how wide your number should be... or just add the 0 to the prefix.
This isn't a great answer but you could do something like this in the immediate term
host=host* sourcetype=foo | rex field=host "\w+(?<host_num>\d+)" | search host_num > 877 ....
You could also bake the field extraction into your configs like this so the field is there for searching prior to the first pipe. One of the issues with the above is that it will return all of the events and then strip out those you don't want which isn't efficient.
Props
[foo]
EXTRACT-foo_host_num = \w+(?<host_num>\d+) in host
Beyond that I'm curious if anyone else has a different solution to this as I'd be interested as well!