https://community.splunk.com/t5/Getting-Data-In/How-to-find-which-Data-Source-an-event-is-originating-from/m-p/702760#M116232 <DIV><DIV class=""><DIV class=""><DIV class=""><P class="">Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237490">@mninansplunk</a>&nbsp; &nbsp;</P><UL><LI>If you're not sure which index contains your data, start with this search:</LI></UL><DIV class=""><DIV><DIV class="">&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV></DIV><P>&nbsp;</P><LI-CODE lang="markup">| tstats count where source="/var/www/html/PIM/var/log/webservices/*" by sourcetype index host</LI-CODE><P><SPAN><BR /><BR /></SPAN></P><P>&nbsp;</P><P class="">This is a fast way to find which indexes contain your data and see the associated hosts and sourcetypes.</P><UL><LI>Once you know the right index, you can do a more detailed search:</LI></UL><DIV class=""><DIV class="">&nbsp;</DIV></DIV><P>&nbsp;</P><LI-CODE lang="markup">index=&lt;your_index&gt; source="/var/www/html/PIM/var/log/webservices/*" | stats count by source sourcetype host</LI-CODE><P>&nbsp;</P><DIV class="">&nbsp;</DIV><P class="">For Files &amp; Directories input - was it a typo there? single forward slashes like this?</P><DIV class=""><DIV class="">&nbsp;</DIV></DIV><P>&nbsp;</P><LI-CODE lang="markup">/HostName/var/www/html/PIM/var/log/webservices/* </LI-CODE><P>&nbsp;</P><DIV class=""><SPAN>make sure file permissions on your input directory </SPAN><SPAN>and your Splunk forwarder has access to the path</SPAN></DIV><P class="">Refer:&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/GetthetutorialdataintoSplunk" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/GetthetutorialdataintoSplunk</A><BR /><A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/GetstartedwithSearch" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/GetstartedwithSearch</A><BR /><A href="https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-search-best-practices.html" target="_blank" rel="noopener">https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-search-best-practices.html</A><BR /><BR /><BR />If this helps, Please UpVote.</P><DIV><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV> Fri, 25 Oct 2024 02:59:58 GMT sainag_splunk 2024-10-25T02:59:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-find-which-Data-Source-an-event-is-originating-from/m-p/702737#M116231 <P>Hello,</P><P>I'm having a hard time trying to find what data source events from a search are originating from, the Search is:</P><P>source="/var/www/html/PIM/var/log/webservices/*"</P><P>I've looked thru the "Files % Directories" (Which I thought I would find it in there) and the rest of the Data Inputs, but can't seem to locate it anywhere.</P><P>A side question <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp; I tried creating a new Files % Directories Data Input by putting the full Linux path like below:</P><P>//HostName/var/www/html/PIM/var/log/webservices/*</P><P>But It says Path can't be empty.&nbsp; I'm sure this is probably not how you format a Linux path, just couldn't find what I'm doing wrong.</P><P>Thanks for any help at all,</P><P>Newb</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 24 Oct 2024 20:27:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-find-which-Data-Source-an-event-is-originating-from/m-p/702737#M116231 mninansplunk 2024-10-24T20:27:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-find-which-Data-Source-an-event-is-originating-from/m-p/702760#M116232 <DIV><DIV class=""><DIV class=""><DIV class=""><P class="">Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237490">@mninansplunk</a>&nbsp; &nbsp;</P><UL><LI>If you're not sure which index contains your data, start with this search:</LI></UL><DIV class=""><DIV><DIV class="">&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV></DIV><P>&nbsp;</P><LI-CODE lang="markup">| tstats count where source="/var/www/html/PIM/var/log/webservices/*" by sourcetype index host</LI-CODE><P><SPAN><BR /><BR /></SPAN></P><P>&nbsp;</P><P class="">This is a fast way to find which indexes contain your data and see the associated hosts and sourcetypes.</P><UL><LI>Once you know the right index, you can do a more detailed search:</LI></UL><DIV class=""><DIV class="">&nbsp;</DIV></DIV><P>&nbsp;</P><LI-CODE lang="markup">index=&lt;your_index&gt; source="/var/www/html/PIM/var/log/webservices/*" | stats count by source sourcetype host</LI-CODE><P>&nbsp;</P><DIV class="">&nbsp;</DIV><P class="">For Files &amp; Directories input - was it a typo there? single forward slashes like this?</P><DIV class=""><DIV class="">&nbsp;</DIV></DIV><P>&nbsp;</P><LI-CODE lang="markup">/HostName/var/www/html/PIM/var/log/webservices/* </LI-CODE><P>&nbsp;</P><DIV class=""><SPAN>make sure file permissions on your input directory </SPAN><SPAN>and your Splunk forwarder has access to the path</SPAN></DIV><P class="">Refer:&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/GetthetutorialdataintoSplunk" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/GetthetutorialdataintoSplunk</A><BR /><A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/GetstartedwithSearch" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/GetstartedwithSearch</A><BR /><A href="https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-search-best-practices.html" target="_blank" rel="noopener">https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-search-best-practices.html</A><BR /><BR /><BR />If this helps, Please UpVote.</P><DIV><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV> Fri, 25 Oct 2024 02:59:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-find-which-Data-Source-an-event-is-originating-from/m-p/702760#M116232 sainag_splunk 2024-10-25T02:59:58Z