All Apps and Add-ons

How do you search only by value?

Path Finder

Hi

I am completely new in Splunk and coming from SQL so I cannot understand something.

If I query by this —sourcetype="linux_secure"— then I get data in result ->ok.
But then as I am an SQL guy, in my world, if I change the query to linux*, then I expect to get all the data where Linux exists no matter the source type. But, I get nothing in the result.

Another small question:
Is source type by itself a key in Splunk language and Linux?

Tags (2)
0 Karma

Explorer

When you search only for the string "linux*", Splunk will look for matches to that string / pattern in the raw event data only. You may have any number of events with the "linux_secure" sourcetype, and it's possible that none of those events contain the "linux" string - either at all, or for the time range you currently have selected in the time picker (have you tried expanding the time range?).

Additionally, it is best practice to explicitly specify one or more indexes from which to search for events, as the user you're logged in as may only be configured to search a subset of those indexes you're allowed to search by default (i.e. without an explicit index={indexname} clause added to your search). For example, Splunk may have relevant data in the "os" index for you, but by default your user account is only configured to search the "main" index without explicit "index=" statements in your search query. In this situation you can find the relevant data in the "os" index by adding "index=os" to your search query.

If you are the admin user to the Splunk instance you're using, look in the Access Controls settings at the admin role configuration at the "indexes searched by default" section and adjust as needed to add "all non-internal indexes" or something else more appropriate to your specific needs. If you're not the admin, I recommend you contact that person to review your current role assignment and/or role configuration.

Additionally, since you are new to Splunk, I recommend looking at the Search Tutorial and Search Manual, both found in the Splunk Docs site. Splunk has excellent product documentation that's useful for users of all experience levels.

Hope this helps!

0 Karma

Path Finder

Thanks @delappml3
I am currently following the fundamentals 1 course so I follow the study guide but they dont cover specific questions which arise in my head.

So you mean that as far as I dont't specify nothing else but linux* , there will be search only on values which will explain why I dont get anything (if no value exists with linux* )..?
fx. this will not come out in result:
linux_secure: someValue (because even there is string with linux ,this is only source type and due to I havent specify source type, the search will not search in source type), am I correct?

0 Karma

Explorer

@net1993 - You are correct. Here are some example searches for comparison:
fail (This searches within the raw events only for the word "fail".
fail* (Similar to above but will return events that contain words that contain fail - i.e. fail, failure, failed, etc.
sourcetype=linuxsecure fail* (This similar to above but will only search events having the sourcetype of linuxsecure.

Sourcetype, along with source and host, are metadata fields that you will find with every event in Splunk. These fields and their values are independent of the actual contents of the raw event data.

The Fundamentals I course will definitely help you to boost your understanding.

0 Karma