Getting Data In

Metadata and tstats give different sources: How do I get the list of sources based on the tstats result?

yaharga
Path Finder

I have two search queries:

| metadata index=* type=sources

that results in something like the following (under the source field)

/lorem/ipsum/dolor/sit/tortor-adaptor.log
/lorem/ipsum/dolor/sit/tortor-adaptor.log.1
/lorem/ipsum/dolor/sit/tortor-adaptor.log.10
/lorem/ipsum/dolor/sit/tortor-adaptor.log.11
/lorem/ipsum/dolor/sit/tortor-adaptor.log.12
/lorem/ipsum/dolor/sit/tortor-adaptor.log.13
/lorem/ipsum/dolor/sit/tortor-adaptor.log.14
/lorem/ipsum/dolor/sit/tortor-adaptor.log.15

 then there's the following search

| tstats values(source) where index=*

that produces something like the following (under the values(source) field)

/lorem/ipsum/dolor/sit/tortor-adaptor.log
/lorem/ipsum/nunc-test.log.1
/lorem/ipsum/dolor/sit/pulvinar/ex-eros.log
/comsed/ipsum/dolor/ut-eget.log
/donec/sit/nam-libero.log.1
/aliquet/ipsum/dolor/sit/vel-arcu.log

 

Why is Splunk showing me different results?

Also, how can I search for all the increments of the source if I know what it is? For example, if I have "/lorem/ipsum/dolor/sit/tortor-adaptor.log" how can I find all of its increments (e.g. "/lorem/ipsum/dolor/sit/tortor-adaptor.log.1, /lorem/ipsum/dolor/sit/tortor-adaptor.log.2, /lorem/ipsum/dolor/sit/tortor-adaptor.log.3")?

Labels (1)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

Make sure you are running both searches in the same time range.

Otherwise, I don't see any reason for them to show different results.

 

how can I search for all the increments of the source if I know what it is?

* You can use the search with metadata command.

* But you generally don't need it because Splunk will always monitor tortor-adaptor.log file not the rolled over filed (tortor-adaptor.log.1, tortor-adaptor.log.2, etc)

* So when you start logging for the first time only at that time it will monitor rolled-over files.

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Make sure you are running both searches in the same time range.

Otherwise, I don't see any reason for them to show different results.

 

how can I search for all the increments of the source if I know what it is?

* You can use the search with metadata command.

* But you generally don't need it because Splunk will always monitor tortor-adaptor.log file not the rolled over filed (tortor-adaptor.log.1, tortor-adaptor.log.2, etc)

* So when you start logging for the first time only at that time it will monitor rolled-over files.

0 Karma
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...