- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to combine all the source types in single sear...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to combine all the source types in single search result?
I have almost 19 different indexes, which was already mentioned in my inputs.conf file. But today I got to know that the source type are not same for the same log files which are indexing daily on the real time format. But I had perform the search result always with a single source type and created a email alert notification with it. Due to different source types are available in my log files, so lot of errors are not coming in my search result and i missed those errors.
Can anyone help me out from this problem that how can I combine all source types in a single search result and extract my important fields which will be present in all source types and create a complete search result?
Please mentioned the link also if you have.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @saibal6,
What about
index=your index (sourcetype="sourcetypeA" OR sourcetype="sourcetypeB" OR sourcetype="sourcetypeC" OR .....)|fields <your important fields>
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @renjith.nair,
I have already tried with your mentioned search and it's working properly.
But in my case I want to write a dynamic search result only for source types, so that I can easily monitor every source types very easily.
Can you help me on this matter?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you solve this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @tokio13
You're responding to an old thread. Some of the original contributors might not even be using community forums anymore. You'd gain more visibility if you posted a new thread with a description of your problem.
If the partial solutions presented here are relevant to your case you might include a link to this thread for reference.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @saibal6,
You shall try with sourcetype=* as well and also add one of the common fields into the search as your_field=* so that it gets only those events which has this field. Hope this helps and please feel free to vote and accept the answer
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @renjith.nair,
I have already tried with this search result. It's working but my concern is my source types are not static. Data indexing in any source type randomly, so i need a dynamic search result for source type which will get the all source types.
Could you please give me any dynamic search result for different source types?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post two of your searches?
Your Guide to SPL2 at .conf24!
Get ready to show some Splunk Certification swagger at .conf24!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
