<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to create a search from multiple sourcetypes? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-search-from-multiple-sourcetypes/m-p/375606#M68035</link>
    <description>&lt;P&gt;Hi kteng,&lt;/P&gt;

&lt;P&gt;I might not be following exactly what you are getting at, but this search will turn up all results from those sourcetypes, and do extractions for those fields&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;(sourcetype=cg_log OR sourcetype=resp_log OR sourcetype=jmx) | rex ".*GC\s(?&amp;lt;GC&amp;gt;[^:]+):.*" | rex ".*resptime:(?&amp;lt;resptime&amp;gt;\d+)\D" | rex ".*\s(?&amp;lt;jmx_field&amp;gt;\d+)$"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Or, at least, those regexes should be close.&lt;/P&gt;

&lt;P&gt;The important might be to notice that the initial search string has a couple &lt;CODE&gt;OR&lt;/CODE&gt;s to say "I want all results for these three sourcetypes"&lt;/P&gt;

&lt;P&gt;Once you have those results, you can do whatever processing you like, as well as additional filtering.&lt;/P&gt;

&lt;P&gt;Please let me know if this answers your question! &lt;span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:"&gt;😄&lt;/span&gt;&lt;/P&gt;</description>
    <pubDate>Wed, 14 Feb 2018 20:48:54 GMT</pubDate>
    <dc:creator>muebel</dc:creator>
    <dc:date>2018-02-14T20:48:54Z</dc:date>
    <item>
      <title>How to create a search from multiple sourcetypes?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-search-from-multiple-sourcetypes/m-p/375605#M68034</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;Below are the three different source types from which I am trying to get the specific values as highlighted. &lt;/P&gt;

&lt;P&gt;sourcetype: cg_log&lt;/P&gt;

&lt;P&gt;2017-02-15T05:47:45.107+1100:&lt;BR /&gt;
123564.781: [GC &lt;STRONG&gt;123564.781&lt;/STRONG&gt;: [ParameterNew: 637043K, 0.004 secs] 120590K-&amp;gt;600476K(20761856K), 0.004 secs]&lt;/P&gt;

&lt;P&gt;sourcetype: resp_log &lt;/P&gt;

&lt;P&gt;2017-02-15 05:51:09.012890 id:155678,name:[AB05:RMS] Prod: apacheweb : Pool15 application  pool,hostname:apacheweb.com,&lt;STRONG&gt;resptime:1378&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;sourcetype: jmx&lt;/P&gt;

&lt;P&gt;2017-02-14 15:49:53 apacheweb.eu.com &lt;STRONG&gt;318568616&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;Can someone please help me with the search . Below is the search i tried so far, &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;&amp;gt; sourcetype=cg_log GC [search
&amp;gt; sourcetype=resp_log resptime | table
&amp;gt; resptime GC]
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 14 Feb 2018 19:13:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-search-from-multiple-sourcetypes/m-p/375605#M68034</guid>
      <dc:creator>kteng2024</dc:creator>
      <dc:date>2018-02-14T19:13:37Z</dc:date>
    </item>
    <item>
      <title>Re: How to create a search from multiple sourcetypes?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-search-from-multiple-sourcetypes/m-p/375606#M68035</link>
      <description>&lt;P&gt;Hi kteng,&lt;/P&gt;

&lt;P&gt;I might not be following exactly what you are getting at, but this search will turn up all results from those sourcetypes, and do extractions for those fields&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;(sourcetype=cg_log OR sourcetype=resp_log OR sourcetype=jmx) | rex ".*GC\s(?&amp;lt;GC&amp;gt;[^:]+):.*" | rex ".*resptime:(?&amp;lt;resptime&amp;gt;\d+)\D" | rex ".*\s(?&amp;lt;jmx_field&amp;gt;\d+)$"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Or, at least, those regexes should be close.&lt;/P&gt;

&lt;P&gt;The important might be to notice that the initial search string has a couple &lt;CODE&gt;OR&lt;/CODE&gt;s to say "I want all results for these three sourcetypes"&lt;/P&gt;

&lt;P&gt;Once you have those results, you can do whatever processing you like, as well as additional filtering.&lt;/P&gt;

&lt;P&gt;Please let me know if this answers your question! &lt;span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:"&gt;😄&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 14 Feb 2018 20:48:54 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-search-from-multiple-sourcetypes/m-p/375606#M68035</guid>
      <dc:creator>muebel</dc:creator>
      <dc:date>2018-02-14T20:48:54Z</dc:date>
    </item>
  </channel>
</rss>

