Dashboards & Visualizations

querying index

Jasmine
Path Finder

do we have splunk attribute to fetch index 

we are passing index in splunk query. with only log file do we have any splunk attribute to fetch index???

index = aaa

index = bbb

like we have for host

index=aaa(source="/var/log/tes1.log" |stats count by host

 

Labels (1)
0 Karma

Jasmine
Path Finder

i tried below: but it didnt return anything

(source="/var/ltest/test.log") |table index

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Every query should specify an index name before the first pipe.

index=aaa source="/var/log/tes1.log" |stats count by index

Of course, there must be data in the specified index from the specified source for there to be results.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Jasmine
Path Finder

so we cannot load index dynamically from log files, correct?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

No, you cannot get the index name from a log file.

The index is specified when the data is onboarded as part of the inputs.conf settings.

At search time, data is fetched from one or more indexes.  Getting the index from a log file would mean going to an index to get a log file to get the name of an index.  Doesn't make much sense.

What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

it depends how your roles have defined in authorizations. There is an attribute srchIndexesDefault, which define what indexes are used when you don’t use index=xyz on your query. Of course you must have access to those indexes. This is defined with an attribute srchIndexesAllowed. Those both are define in authorize.conf.

As already has said, you should always use index=xyz on your queries to use needed/wanted indexes as different roles has different default indexes.  IMHO you shouldn’t ever use srchIndexesDefault as it leads people to drop that index=xyz part away from queries.

r. Ismo

marnall
Builder

Do you get any events when you use this search? (You can also set the time range to be very large, in case the events from the log source are not in the past 24 hours. Also double-check that the source path is correct.)

index=* source="/var/ltest/test.log"

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The field name ("attribute") for index is "index".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...