topic Re: How can I search within the source names and source type names? in Getting Data In

How can I search within the source names and source type names?

mdickey — Wed, 19 Sep 2012 20:57:25 GMT

I'm using an existing Splunk instance that already has hundreds of sources and source types. How can I search among the source names and source type names to find sources of interest? For example, I would like to know the names of all sources that contain the string "prod" in the source name itself.

Re: How can I search within the source names and source type names?

lguinn2 — Wed, 19 Sep 2012 20:59:08 GMT

That's easy, just search

| metadata type=sources | where match(source,"prod")

| metadata type=sourcetypes | where match(sourcetype,"prod")

to get just a list of the sourceytpes or sources, with a little info about each. Note that the match function uses regular expressions. To actually search the data, you can use

source="*prod*"

sourcetype="*prod*"

HTH

Re: How can I search within the source names and source type names?

mdickey — Wed, 19 Sep 2012 21:24:58 GMT

Sorry, I must not have explained myself well. Your suggestion will search the actual event data. I don't want to search the data. I only want to get a back a list of source names that match. I want to search this list of source names themselves, not the data in the sources.

Re: How can I search within the source names and source type names?

lguinn2 — Wed, 19 Sep 2012 21:36:47 GMT

Updated my answer per your comments!

Re: How can I search within the source names and source type names?

mdickey — Wed, 19 Sep 2012 22:44:24 GMT

Wow, that works like magic, thanks!!

One tiny typo in the second one:
match(sourcetypes,"prod")
should be
match(sourcetype,"prod")

Thanks again!

Re: How can I search within the source names and source type names?

lguinn2 — Wed, 19 Sep 2012 23:38:48 GMT

Thanks for the catch on the typo, I fixed it!