Getting Data In

Metadata and tstats give different sources: How do I get the list of sources based on the tstats result?

yaharga
Path Finder

I have two search queries:

| metadata index=* type=sources

that results in something like the following (under the source field)

/lorem/ipsum/dolor/sit/tortor-adaptor.log
/lorem/ipsum/dolor/sit/tortor-adaptor.log.1
/lorem/ipsum/dolor/sit/tortor-adaptor.log.10
/lorem/ipsum/dolor/sit/tortor-adaptor.log.11
/lorem/ipsum/dolor/sit/tortor-adaptor.log.12
/lorem/ipsum/dolor/sit/tortor-adaptor.log.13
/lorem/ipsum/dolor/sit/tortor-adaptor.log.14
/lorem/ipsum/dolor/sit/tortor-adaptor.log.15

 then there's the following search

| tstats values(source) where index=*

that produces something like the following (under the values(source) field)

/lorem/ipsum/dolor/sit/tortor-adaptor.log
/lorem/ipsum/nunc-test.log.1
/lorem/ipsum/dolor/sit/pulvinar/ex-eros.log
/comsed/ipsum/dolor/ut-eget.log
/donec/sit/nam-libero.log.1
/aliquet/ipsum/dolor/sit/vel-arcu.log

 

Why is Splunk showing me different results?

Also, how can I search for all the increments of the source if I know what it is? For example, if I have "/lorem/ipsum/dolor/sit/tortor-adaptor.log" how can I find all of its increments (e.g. "/lorem/ipsum/dolor/sit/tortor-adaptor.log.1, /lorem/ipsum/dolor/sit/tortor-adaptor.log.2, /lorem/ipsum/dolor/sit/tortor-adaptor.log.3")?

Labels (1)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

Make sure you are running both searches in the same time range.

Otherwise, I don't see any reason for them to show different results.

 

how can I search for all the increments of the source if I know what it is?

* You can use the search with metadata command.

* But you generally don't need it because Splunk will always monitor tortor-adaptor.log file not the rolled over filed (tortor-adaptor.log.1, tortor-adaptor.log.2, etc)

* So when you start logging for the first time only at that time it will monitor rolled-over files.

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Make sure you are running both searches in the same time range.

Otherwise, I don't see any reason for them to show different results.

 

how can I search for all the increments of the source if I know what it is?

* You can use the search with metadata command.

* But you generally don't need it because Splunk will always monitor tortor-adaptor.log file not the rolled over filed (tortor-adaptor.log.1, tortor-adaptor.log.2, etc)

* So when you start logging for the first time only at that time it will monitor rolled-over files.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...