Splunk Search

If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

idab
Path Finder

Hi,

I have 25 servers with the same prefix name and suffixed with different number host _1, host_2 ., ......, host_25.

How do you write a search to spool only the servers names from host_11 up to host_23? Instead of using the exclude operator (!=) on the hosts you don't need.

index=* counter="*"  Host="host _1*"    | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Something like this?

index=* counter="*"  (Host="host_1*" OR Host="host_2*") | rex field=Host "host_(?<suffix>\d+)" | where suffix>10 AND suffix < 24 | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
---
If this reply helps you, Karma would be appreciated.

View solution in original post

cramasta
Builder

I saw someone else do this before was a bit surprised it even worked.

index= index=* counter="*"   (host=host_1* OR  host=host_2*)  (host >= host_1 AND host <= host_25)  | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
0 Karma

ppablo
Retired

Hi @idab

Be sure to accept the answer that solved your question best, otherwise this will appear to other users as unresolved. Thanks!

Patrick

0 Karma

somesoni2
Revered Legend

Assuming that your host name have same name with suffix as number (1,2,3...24,25) no left padding, try something like this

index= index=* counter="*"  [| gentimes start=-1 | eval Host=mvrange(11,24) | table Host | mvexpand Host | eval Host="YourHostSuffix_".Host ]    | eval Value = round(Value,1)| timechart  span=5m first(Value) by host

The subsearch will dynamically generate a OR condition as

Host=YourHostSuffix_11 OR Host=YourHostSuffix_12 OR.... OR Host=YourHostSuffix_23

. The only thing you need to provide is the suffix (YourHostSuffix above) and start index (11 in mvrange command) and End range (end range+1 =24 in mvrange).

idab
Path Finder

Thanks somesoni2

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Something like this?

index=* counter="*"  (Host="host_1*" OR Host="host_2*") | rex field=Host "host_(?<suffix>\d+)" | where suffix>10 AND suffix < 24 | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
---
If this reply helps you, Karma would be appreciated.

idab
Path Finder

Thanks richgallowway!

0 Karma
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...