I have some code deployed on 1 out of my 6 servers. I need a splunk query that pulls data from the other 5 hosts. Something like - All except this 1 host. I know the host option in splunk to look for the host's logs, but I have no idea how to do all except 1. Can someone please assist me?
The one box I am talking about has my latest code changes, and the other 5 have my old code. So I want to write a query to do a before vs after analysis.
Couple of options below.
Specify the 5 servers directly with an OR:
index=foo sourcetype=bar (host=host1 OR host=host2 OR host=host3 OR host=host4 OR host=host5)
Assuming your sourcetype/index contains data that refers to those 6 hosts and only those you can do a "return all but this one":
index=foo sourcetype=bar host!=hostIdontwanttosee