1

Filter on multiple hostnames

Hi,

I would like to filter data and show reports for a limited set of hostnames. They are not ordered in any logical way, not in different groups or OU's, and have random host names. 

How can I apply a filter that includes two different host names for example? Or do I need to use a custom Splunk search?

Thanks

Erik

8 comments

  • Avatar
    Helge Klein Official comment

    Hi Erik,

    Unfortunately that is currently not possible. Although you can combine multiple filters, those are combined with a logical AND. What you need is OR.

    What you could do is go to the chart you are interested in and hover with the mouse over it. You will see a grey bar near the bottom of the chart. Click the button "open in search":

    You can then modify the search to suit your needs. For an example please see my answer below.

    Alternatively click the little "i" button. A new window will pop up. Scroll down to the field called "search", copy the data and paste it into a Splunk search window.

  • 0
    Avatar
    Erik Janssens

    That already useful information, Thanks!

    A more advanced filtering system (or the possibility to add operators in the filter box) would be a nice addition I think!

  • 0
    Avatar
    Sacha Thomet

    I have the same need @Erik was you successful? How your filter looks like? 

    I need to have a filter with multipe ClientNames, need something like an OR statement

  • 0
    Avatar
    Helge Klein

    The filter syntax to include any one of multiple values (in other words: OR) is like this:

    filter FIELDNAME in ("VALUE1","VALUE2","VALUE3")

    Of course, before using the above you need to replace FIELDNAME, VALUE1, VALUE2 and VALUE3 with what makes sense for your query. You can use any number of values in the parentheses.

  • 0
    Avatar
    Sacha Thomet

    just tried with

    filter SessionClientName is ("*myhostname1","*myhostname2","*myhostname3")

    but I get no results

    when I do 

    filter SessionClientName is "*myhostname1"

    I have a result for one client

  • 0
    Avatar
    Helge Klein

    Please use IN, not IS with the list in parentheses.

    I am not sure if the wildcards work with the values in parentheses, but you can try.

    The corresponding Splunk documentation can be found here.

  • 0
    Avatar
    Sacha Thomet

    Thanks! No I have the expected result! 

  • 0
    Avatar
    Helge Klein

    Happy to hear that it is working!

Please sign in to leave a comment.