topic Re: querying index in Dashboards & Visualizations

querying index

Jasmine — Fri, 12 Apr 2024 17:30:40 GMT

do we have splunk attribute to fetch index

we are passing index in splunk query. with only log file do we have any splunk attribute to fetch index???

index = aaa

index = bbb

like we have for host

index=aaa(source="/var/log/tes1.log" |stats count by host

Re: querying index

richgalloway — Fri, 12 Apr 2024 17:51:23 GMT

The field name ("attribute") for index is "index".

Re: querying index

Jasmine — Fri, 12 Apr 2024 18:31:17 GMT

i tried below: but it didnt return anything

(source="/var/ltest/test.log") |table index

Re: querying index

marnall — Fri, 12 Apr 2024 19:24:28 GMT

Do you get any events when you use this search? (You can also set the time range to be very large, in case the events from the log source are not in the past 24 hours. Also double-check that the source path is correct.)

index=* source="/var/ltest/test.log"

Re: querying index

richgalloway — Fri, 12 Apr 2024 19:43:55 GMT

Every query should specify an index name before the first pipe.

index=aaa source="/var/log/tes1.log" |stats count by index

Of course, there must be data in the specified index from the specified source for there to be results.

Re: querying index

Jasmine — Sat, 13 Apr 2024 04:04:29 GMT

so we cannot load index dynamically from log files, correct?

Re: querying index

isoutamo — Sat, 13 Apr 2024 07:01:10 GMT

it depends how your roles have defined in authorizations. There is an attribute srchIndexesDefault, which define what indexes are used when you don’t use index=xyz on your query. Of course you must have access to those indexes. This is defined with an attribute srchIndexesAllowed. Those both are define in authorize.conf.

As already has said, you should always use index=xyz on your queries to use needed/wanted indexes as different roles has different default indexes. IMHO you shouldn’t ever use srchIndexesDefault as it leads people to drop that index=xyz part away from queries.

r. Ismo

Re: querying index

richgalloway — Sat, 13 Apr 2024 12:13:12 GMT

No, you cannot get the index name from a log file.

The index is specified when the data is onboarded as part of the inputs.conf settings.

At search time, data is fetched from one or more indexes. Getting the index from a log file would mean going to an index to get a log file to get the name of an index. Doesn't make much sense.

What problem are you trying to solve?