https://community.splunk.com/t5/Splunk-Search/Search-Help-Add-Index-to-this-internal-Search-And-combine-hosts/m-p/319386#M95496 <P>No, it just adds a new field to all events that get indexed that identifies the sending forwarder. </P> Fri, 13 Sep 2019 05:19:11 GMT masonmorales 2019-09-13T05:19:11Z https://community.splunk.com/t5/Splunk-Search/Search-Help-Add-Index-to-this-internal-Search-And-combine-hosts/m-p/319381#M95491 <P>I would like to add which index each of these hosts comes from in this search.</P> <PRE><CODE>index=_internal source=*/metrics.log component=Metrics host=*hf* group=tcpin* | top limit=10000 hostname host version os arch </CODE></PRE> <P>I was trying to append a list of servers from just a normal "index=foo" search, but I couldn't get that working.</P> <PRE><CODE>hostname host version os arch count percent bar barhost1 5.0.2 Windows x64 556 2.839632 barhost2 </CODE></PRE> <P>Sorry for the formatting.</P> <P>Also, this search shows us which Heavy Forwarders each device is sending logs to. Instead of having a separate line for each Heavy Forwarder a device is sending to, I'd like to combine those values into 1 field per line, as shown above.</P> <P>Thanks!</P> Tue, 11 Apr 2017 20:13:59 GMT https://community.splunk.com/t5/Splunk-Search/Search-Help-Add-Index-to-this-internal-Search-And-combine-hosts/m-p/319381#M95491 aferone 2017-04-11T20:13:59Z https://community.splunk.com/t5/Splunk-Search/Search-Help-Add-Index-to-this-internal-Search-And-combine-hosts/m-p/319382#M95492 <P>I use an indexed field called, "splunk_forwarder" to identify my heavy forwarders. Using an indexed field allows me to see which HF sent an event, regardless of which sourcetype I'm looking at. Here's a <A href="http://www.masonsmorales.com/splunk-blog/creating-indexed-fields-in-splunk-to-identify-heavy-forwarders">blog post</A> about it. </P> Tue, 11 Apr 2017 23:38:36 GMT https://community.splunk.com/t5/Splunk-Search/Search-Help-Add-Index-to-this-internal-Search-And-combine-hosts/m-p/319382#M95492 masonmorales 2017-04-11T23:38:36Z https://community.splunk.com/t5/Splunk-Search/Search-Help-Add-Index-to-this-internal-Search-And-combine-hosts/m-p/319383#M95493 <P>But can you see which index that device is associated with?</P> Wed, 12 Apr 2017 18:44:56 GMT https://community.splunk.com/t5/Splunk-Search/Search-Help-Add-Index-to-this-internal-Search-And-combine-hosts/m-p/319383#M95493 aferone 2017-04-12T18:44:56Z https://community.splunk.com/t5/Splunk-Search/Search-Help-Add-Index-to-this-internal-Search-And-combine-hosts/m-p/319384#M95494 <P>Yes, then you could do something like <CODE>index=* splunk_forwarder=* | stats values(index) as indexes by splunk_forwarder</CODE></P> Mon, 17 Apr 2017 23:49:20 GMT https://community.splunk.com/t5/Splunk-Search/Search-Help-Add-Index-to-this-internal-Search-And-combine-hosts/m-p/319384#M95494 masonmorales 2017-04-17T23:49:20Z https://community.splunk.com/t5/Splunk-Search/Search-Help-Add-Index-to-this-internal-Search-And-combine-hosts/m-p/319385#M95495 <P>But are you now searching all raw data that way? Instead of using _internal or summarized data?</P> Tue, 18 Apr 2017 14:07:40 GMT https://community.splunk.com/t5/Splunk-Search/Search-Help-Add-Index-to-this-internal-Search-And-combine-hosts/m-p/319385#M95495 aferone 2017-04-18T14:07:40Z https://community.splunk.com/t5/Splunk-Search/Search-Help-Add-Index-to-this-internal-Search-And-combine-hosts/m-p/319386#M95496 <P>No, it just adds a new field to all events that get indexed that identifies the sending forwarder. </P> Fri, 13 Sep 2019 05:19:11 GMT https://community.splunk.com/t5/Splunk-Search/Search-Help-Add-Index-to-this-internal-Search-And-combine-hosts/m-p/319386#M95496 masonmorales 2019-09-13T05:19:11Z