topic Re: Index,sourcetype as parameter in search in Splunk Search

Index,sourcetype as parameter in search

splunk_learner — Fri, 28 Dec 2012 11:03:41 GMT

Hi,
I want search query to read my index name and sourcetype name from config file.So that if there is any change in future,i dont have to edit all of the searches for a particular app.Is there any way to pass parameter from config file to search query for an particular app only.

Re: Index,sourcetype as parameter in search

jonuwz — Fri, 28 Dec 2012 11:09:15 GMT

The usual way to do this is to create a macro called something like get_index_name

Then have the macro return the name of the index.

i.e. the macro would be defined as :

"index=my_index"

Then all your searches in the app start with

`get_index_name`

When you need to update the name of the index, you just alter the definition of the macro in one place and you're set.

Re: Index,sourcetype as parameter in search

splunk_learner — Fri, 28 Dec 2012 11:12:33 GMT

Thanks.This seems to be a gud idea.
I was wondering can inputs.config help us in this requirement?

Re: Index,sourcetype as parameter in search

jonuwz — Fri, 28 Dec 2012 11:40:21 GMT

I don't think so. Inputs.conf determines where splunk gets data from, it doesn't set variables.

Also - this isn't my idea, Its just i've noticed that this is how some of the most popular apps on splunk-base tackle the problem