Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can I search within the source names and sourc...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mdickey
Engager
09-19-2012
01:57 PM
I'm using an existing Splunk instance that already has hundreds of sources and source types. How can I search among the source names and source type names to find sources of interest? For example, I would like to know the names of all sources that contain the string "prod" in the source name itself.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
09-19-2012
01:59 PM
That's easy, just search
| metadata type=sources | where match(source,"prod")
or
| metadata type=sourcetypes | where match(sourcetype,"prod")
to get just a list of the sourceytpes or sources, with a little info about each. Note that the match function uses regular expressions. To actually search the data, you can use
source="*prod*"
or
sourcetype="*prod*"
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
09-19-2012
01:59 PM
That's easy, just search
| metadata type=sources | where match(source,"prod")
or
| metadata type=sourcetypes | where match(sourcetype,"prod")
to get just a list of the sourceytpes or sources, with a little info about each. Note that the match function uses regular expressions. To actually search the data, you can use
source="*prod*"
or
sourcetype="*prod*"
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
09-19-2012
04:38 PM
Thanks for the catch on the typo, I fixed it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mdickey
Engager
09-19-2012
03:44 PM
Wow, that works like magic, thanks!!
One tiny typo in the second one:
match(sourcetypes,"prod")
should be
match(sourcetype,"prod")
Thanks again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
09-19-2012
02:36 PM
Updated my answer per your comments!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mdickey
Engager
09-19-2012
02:24 PM
Sorry, I must not have explained myself well. Your suggestion will search the actual event data. I don't want to search the data. I only want to get a back a list of source names that match. I want to search this list of source names themselves, not the data in the sources.
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
