https://community.splunk.com/t5/Splunk-Search/Do-we-able-to-search-string-from-different-index-which-resides/m-p/358236#M174566 <P>If your problem is resolved, please accept an answer.</P> Fri, 23 Jun 2017 11:57:11 GMT richgalloway 2017-06-23T11:57:11Z https://community.splunk.com/t5/Splunk-Search/Do-we-able-to-search-string-from-different-index-which-resides/m-p/358232#M174562 <P>Let us think a scenario , where from different system having installed with Splunk forwarder connect to same SPLUNK server .So can we get the search option for a particular event (search string) which may occurs in in each different systems or client .</P> Tue, 20 Jun 2017 07:59:07 GMT https://community.splunk.com/t5/Splunk-Search/Do-we-able-to-search-string-from-different-index-which-resides/m-p/358232#M174562 sambed 2017-06-20T07:59:07Z https://community.splunk.com/t5/Splunk-Search/Do-we-able-to-search-string-from-different-index-which-resides/m-p/358233#M174563 <P>Sure. Simplest:</P> <PRE><CODE>index=* "My Search String" </CODE></PRE> <P>Not necessarily recommended unless you have a good idea what you are doing because it'll search ALL data for that string - but it'll work fine enough.</P> <P>Once you get results, you can use the Interesting Fields on the left to find out indexes and sourcetypes you need so that you can make the above search more specific (and thus faster). Like</P> <PRE><CODE>index=Z OR index=X OR index=Y EventCode=4226 </CODE></PRE> <P>Which would search in any of index X, Y or Z for a field named "EventCode" which is set to 4226.</P> <P>I recommend taking a look at the <A href="http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchTutorial/WelcometotheSearchTutorial">search tutorial in Splunk docs</A>. You may also want to check out the <A href="https://www.splunk.com/view/education-videos/SP-CAAAGB6">Basic Searching in Splunk</A> free course.</P> Tue, 20 Jun 2017 11:44:30 GMT https://community.splunk.com/t5/Splunk-Search/Do-we-able-to-search-string-from-different-index-which-resides/m-p/358233#M174563 Richfez 2017-06-20T11:44:30Z https://community.splunk.com/t5/Splunk-Search/Do-we-able-to-search-string-from-different-index-which-resides/m-p/358234#M174564 <P>Hi sambed,<BR /> on Forwarders there aren't indexed logs, they are only in Splunk Enterprise.<BR /> So if you want only logs from a single Forwarder, you can run a search with the host value, something like this:</P> <PRE><CODE>index=your_index host=your_forwarder </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Tue, 20 Jun 2017 11:45:27 GMT https://community.splunk.com/t5/Splunk-Search/Do-we-able-to-search-string-from-different-index-which-resides/m-p/358234#M174564 gcusello 2017-06-20T11:45:27Z https://community.splunk.com/t5/Splunk-Search/Do-we-able-to-search-string-from-different-index-which-resides/m-p/358235#M174565 <P>Thank You Cusello and Rich . <BR /> Your info is very helpful.</P> Fri, 23 Jun 2017 07:43:40 GMT https://community.splunk.com/t5/Splunk-Search/Do-we-able-to-search-string-from-different-index-which-resides/m-p/358235#M174565 sambed 2017-06-23T07:43:40Z https://community.splunk.com/t5/Splunk-Search/Do-we-able-to-search-string-from-different-index-which-resides/m-p/358236#M174566 <P>If your problem is resolved, please accept an answer.</P> Fri, 23 Jun 2017 11:57:11 GMT https://community.splunk.com/t5/Splunk-Search/Do-we-able-to-search-string-from-different-index-which-resides/m-p/358236#M174566 richgalloway 2017-06-23T11:57:11Z