Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to combine all the source types in single search result?

saibal6
Path Finder
‎06-26-2018 06:50 AM

I have almost 19 different indexes, which was already mentioned in my inputs.conf file. But today I got to know that the source type are not same for the same log files which are indexing daily on the real time format. But I had perform the search result always with a single source type and created a email alert notification with it. Due to different source types are available in my log files, so lot of errors are not coming in my search result and i missed those errors.

Can anyone help me out from this problem that how can I combine all source types in a single search result and extract my important fields which will be present in all source types and create a complete search result?
Please mentioned the link also if you have.

Labels (1)
Labels
0 Karma
Reply

renjith_nair
Legend
‎06-26-2018 08:03 AM

Hi @saibal6,

What about 

index=your index  (sourcetype="sourcetypeA" OR sourcetype="sourcetypeB" OR sourcetype="sourcetypeC" OR .....)|fields <your important fields>
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

saibal6
Path Finder
‎06-27-2018 02:23 AM

Hi @renjith.nair,

I have already tried with your mentioned search and it's working properly.

But in my case I want to write a dynamic search result only for source types, so that I can easily monitor every source types very easily.

Can you help me on this matter?

0 Karma
Reply

tokio13
Path Finder
‎09-14-2022 07:19 AM

How did you solve this?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-15-2022 06:38 AM

Hi @tokio13 

You're responding to an old thread. Some of the original contributors might not even be using community forums anymore. You'd gain more visibility if you posted a new thread with a description of your problem.

If the partial solutions presented here are relevant to your case you might include a link to this thread for reference.

 

0 Karma
Reply

renjith_nair
Legend
‎06-27-2018 02:34 AM

Hi @saibal6,

You shall try with sourcetype=* as well and also add one of the common fields into the search as your_field=* so that it gets only those events which has this field. Hope this helps and please feel free to vote and accept the answer

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

saibal6
Path Finder
‎06-26-2018 11:57 PM

Hi @renjith.nair,

I have already tried with this search result. It's working but my concern is my source types are not static. Data indexing in any source type randomly, so i need a dynamic search result for source type which will get the all source types.

Could you please give me any dynamic search result for different source types?

0 Karma
Reply

jplumsdaine22
Influencer
‎06-26-2018 07:39 AM

Can you post two of your searches?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...