Splunk Search

Search multiple hosts with one search string

Xe03kfp
Path Finder

How would I search multiple hosts with one search string?

I have 6 hosts and want the results for all:

Search String:

index="rdpg"
( 2222222 dest_port="") OR (1111111 src_port="") OR ( 1111111 src_ip="") OR (2222222 dest_ip="")
| eval disconnect_time=if(match(_raw,"2222222"),_time,null()) 
| eval connect_time=if(match(_raw,"1111111"),_time,null())
| eval Ephemeral=if(isnotnull(disconnect_time),dest_port,Ephemeral) 
| eval Ephemeral=if(isnotnull(connect_time),src_port,Ephemeral)
| stats min(connect_time) as Connect max(disconnect_time) as Disconnect min(src_ip) as "Source IP" max(dest_ip) as "Destin ip" by Ephemeral
| eval Seconds=Disconnect-Connect | fieldformat Seconds=strftime('Seconds', "%s") 
| eval "Total Time"=tostring(Seconds,"duration") 
| where Seconds > 300 
| search Connect=* Disconnect=*
| appendpipe [stats sum(Seconds) as "Total Seconds" ]
| convert timeformat="%a %b-%d %Y "at" %H:%M:%S" ctime(Connect) ctime(Disconnect)

Hosts= Srv004 Srv005 Srv181 Srv192 Srv142 Srv181

Tags (3)
0 Karma
1 Solution

herkalurk
Explorer

AND operators could help in this situation

host="srv004" AND host="srv005" AND .....

View solution in original post

msackett
New Member

How could you use wildcards in server name to get groups of host without typing each one in?

0 Karma

bliscuit
New Member

You can also use the regex command to pipe a field through a regular expression.

For example:

index=bro sourcetype=bro_conn
| regex dest_ip="/(^127.)|(^192.168.)|(^10.)|(^172.1[6-9].)|(^172.2[0-9].)|(^172.3[0-1].)|(^::1$)|(^[fF][cCdD])/"

0 Karma

hari2139
Engager

host="srv00*"

0 Karma

prabhu77749
Explorer

host=srv00* will give all hosts matching the wildcard.

0 Karma

herkalurk
Explorer

AND operators could help in this situation

host="srv004" AND host="srv005" AND .....

herkalurk
Explorer

If you were to do that report on each host individually, in the time frame you're searching, you got results from each host? I only want to make sure that the fact you're only seeing 2 hosts isn't because the others don't have data.

herkalurk
Explorer

Sorry, I should have said OR ...

host="srv004" OR host="srv005" OR .....

ryhluc01
Communicator

Thanks! This helped.

0 Karma

Xe03kfp
Path Finder

Didn't work

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...