https://community.splunk.com/t5/Splunk-Search/Searching-for-data-from-different-log-files-with-similar-field/m-p/554049#M157285 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;</P><P>Thank you for the advice! Yes I've actually been doing quite a bit of 'unstructured' learning, hopping here and there and also viewing youtube tutorials... I guess I was speeding thru the search fundamentals and missed out some essentials. I was able to create my own Splunk app to ingest some logs but realized I didn't fully understand some of the basics which were crucial for analysis.</P><P>Thanks once again for the links!</P> Wed, 02 Jun 2021 06:39:23 GMT william_choo 2021-06-02T06:39:23Z https://community.splunk.com/t5/Splunk-Search/Searching-for-data-from-different-log-files-with-similar-field/m-p/554013#M157275 <P>Hi,</P><P>I'm new to Splunk here...&nbsp;&nbsp;</P><P>I have a local instance of Splunk Enterprise on my local machine where I've created a data input via Data Input &gt; Files &amp; Directories, and then created an Index which I then map the data input to.</P><P>Within this folder, I've dumped various types of log files from different formats / types of web servers e.g. Apache webserver and IIS , even JSON-formatted log files for analysis.&nbsp;</P><P>When I do search for a field name that exists in log files from different formats, does the search results come out for both? Is there any link/doc that explains the best practices or how Splunk behaves with regards to how data is indexed in this circumstance?</P><P>Thanks in advance.</P> Wed, 02 Jun 2021 03:53:17 GMT https://community.splunk.com/t5/Splunk-Search/Searching-for-data-from-different-log-files-with-similar-field/m-p/554013#M157275 william_choo 2021-06-02T03:53:17Z https://community.splunk.com/t5/Splunk-Search/Searching-for-data-from-different-log-files-with-similar-field/m-p/554024#M157276 <P>Generally you would segregate your different log types into separate indexes and sourcetypes. The 'source' field will generally be the file (if it comes from a file) the data came from and sourcetype is based on your ingestion rules.</P><P>Yes, if you search&nbsp;</P><LI-CODE lang="markup">index=* field=x</LI-CODE><P>then it will find all data from the indexes where the events have a field called 'field' with the value x</P><P>I suggest you do the free Splunk Fundamentals 1 course and also read about getting data in</P><P><A href="https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html" target="_blank">https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html</A></P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/Getstartedwithgettingdatain" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/Getstartedwithgettingdatain</A></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 02 Jun 2021 04:56:14 GMT https://community.splunk.com/t5/Splunk-Search/Searching-for-data-from-different-log-files-with-similar-field/m-p/554024#M157276 bowesmana 2021-06-02T04:56:14Z https://community.splunk.com/t5/Splunk-Search/Searching-for-data-from-different-log-files-with-similar-field/m-p/554049#M157285 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;</P><P>Thank you for the advice! Yes I've actually been doing quite a bit of 'unstructured' learning, hopping here and there and also viewing youtube tutorials... I guess I was speeding thru the search fundamentals and missed out some essentials. I was able to create my own Splunk app to ingest some logs but realized I didn't fully understand some of the basics which were crucial for analysis.</P><P>Thanks once again for the links!</P> Wed, 02 Jun 2021 06:39:23 GMT https://community.splunk.com/t5/Splunk-Search/Searching-for-data-from-different-log-files-with-similar-field/m-p/554049#M157285 william_choo 2021-06-02T06:39:23Z