We want to search for hundreds of hosts at a time. The question is similar to these:
^ Globbing is not good because a full text expansion will not match groups like the one in the title. Tags would be in the order of hundreds which becomes difficult to maintain.
^ This is more promising, but not ideal for a managed installation where clients may use it, as the csv has to exist in a dir on the server.
What are the alternatives?
asked 16 Sep '10, 11:16
You could use the same technique as described in the following answer: http://answers.splunk.com/questions/6856/regular-expression-in-search
Specifying something like host321 - host426 is possible, but a little more complicated:
As subsearches are quite limited (default to 100 results), here is a slower, but less limited variant (just as an alternative):
If the lookup tables and tagging mentioned in the two answers you linked in your question do not work for you, you could define your server groups with wildcards. Such as doing a search for
Alternatively, could you define the hosts by a search? Then you could use a subsearch to define your hosts and push them to your desired search. This might be possible if your hosts have some distinct attribute you can search on. If all the desired hosts for example have a source in common, for example they all index an example.log file, you could craft your search as follows:
answered 16 Sep '10, 12:44
Responding here to get the full formatting - this was solved using a combination of the above, although it's perhaps not as suitable as more advanced pattern matching on the host string.
Create a file (call it grp1) with desired list of hosts inside. In this case I had a file containing
... and so on
You need to get Splunk to index this file, go w/o linemerge (use a newline breaker)
For whatever strange reason,
Displays the host field twice, and causes a strange artifact with | format, making your string look like
The | rex overcomes this problem, so the final search string (to search for all hosts you listed in the file:
The subsearch returns the results for the host group, the main search provides the data.
answered 17 Sep '10, 12:50