Solved: How can I search within the source names and sourc...

mdickey · ‎09-19-2012

I'm using an existing Splunk instance that already has hundreds of sources and source types. How can I search among the source names and source type names to find sources of interest? For example, I would like to know the names of all sources that contain the string "prod" in the source name itself.

lguinn2 · ‎09-19-2012

That's easy, just search

| metadata type=sources | where match(source,"prod")

or

| metadata type=sourcetypes | where match(sourcetype,"prod")

to get just a list of the sourceytpes or sources, with a little info about each. Note that the match function uses regular expressions. To actually search the data, you can use

source="*prod*"

or

sourcetype="*prod*"

HTH

View solution in original post

lguinn2 · ‎09-19-2012

That's easy, just search

| metadata type=sources | where match(source,"prod")

or

| metadata type=sourcetypes | where match(sourcetype,"prod")

to get just a list of the sourceytpes or sources, with a little info about each. Note that the match function uses regular expressions. To actually search the data, you can use

source="*prod*"

or

sourcetype="*prod*"

HTH

lguinn2 · ‎09-19-2012

Thanks for the catch on the typo, I fixed it!

mdickey · ‎09-19-2012

Wow, that works like magic, thanks!!

One tiny typo in the second one:
match(sourcetypes,"prod")
should be
match(sourcetype,"prod")

Thanks again!

lguinn2 · ‎09-19-2012

Updated my answer per your comments!

mdickey · ‎09-19-2012

Sorry, I must not have explained myself well. Your suggestion will search the actual event data. I don't want to search the data. I only want to get a back a list of source names that match. I want to search this list of source names themselves, not the data in the sources.

How can I search within the source names and source type names?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk