topic Re: Multiple sourcetypes in a search? in Getting Data In

Multiple sourcetypes in a search?

PHRaymond — Sat, 17 Mar 2012 17:17:38 GMT

Just curious, can this search parameter be streamlined at all?

sourcetype=typeone OR sourcetype=typetwo OR sourcetype=typethree OR sourcetype=typefour

I'm just looking for something more elegant, so this isn't critical by any means. I was hoping for something like:

sourcetype=(typeone,typetwo,typethree,typefour)

but no love. Any thoughts?

Thank you.

Re: Multiple sourcetypes in a search?

dwaddle — Sat, 17 Mar 2012 18:23:35 GMT

There isn't anything directly like that in the search language. For a small set of sourcetypes (or any other field), an OR between each is the best approach. You can encapsulate this inside of a macro to make for less typing.

For a larger set (large enough to be willing to maintain a lookup table), you can emulate this using inputlookup and a subsearch. For example, define a lookup table in $SPLUNK_HOME/etc/system/lookups called many_sourcetypes.csv as follows:

sourcetype
typeone
typetwo
typethree
.
.
.
typefiftyseven

Then, in your search --

[ | inputlookup many_sourcetypes.csv | fields sourcetype ] ...

Re: Multiple sourcetypes in a search?

PHRaymond — Sat, 17 Mar 2012 18:24:54 GMT

That's pretty much what I figured. Thank you!

Re: Multiple sourcetypes in a search?

mux — Thu, 30 Jan 2014 13:30:19 GMT

You can also use tags on the sourcetypes.

tag=yourtagname yousearchhere

and it will search all the sourcetypes with that tag name.