Getting Data In

Metadata and tstats give different sources: How do I get the list of sources based on the tstats result?

yaharga
Path Finder

I have two search queries:

| metadata index=* type=sources

that results in something like the following (under the source field)

/lorem/ipsum/dolor/sit/tortor-adaptor.log
/lorem/ipsum/dolor/sit/tortor-adaptor.log.1
/lorem/ipsum/dolor/sit/tortor-adaptor.log.10
/lorem/ipsum/dolor/sit/tortor-adaptor.log.11
/lorem/ipsum/dolor/sit/tortor-adaptor.log.12
/lorem/ipsum/dolor/sit/tortor-adaptor.log.13
/lorem/ipsum/dolor/sit/tortor-adaptor.log.14
/lorem/ipsum/dolor/sit/tortor-adaptor.log.15

 then there's the following search

| tstats values(source) where index=*

that produces something like the following (under the values(source) field)

/lorem/ipsum/dolor/sit/tortor-adaptor.log
/lorem/ipsum/nunc-test.log.1
/lorem/ipsum/dolor/sit/pulvinar/ex-eros.log
/comsed/ipsum/dolor/ut-eget.log
/donec/sit/nam-libero.log.1
/aliquet/ipsum/dolor/sit/vel-arcu.log

 

Why is Splunk showing me different results?

Also, how can I search for all the increments of the source if I know what it is? For example, if I have "/lorem/ipsum/dolor/sit/tortor-adaptor.log" how can I find all of its increments (e.g. "/lorem/ipsum/dolor/sit/tortor-adaptor.log.1, /lorem/ipsum/dolor/sit/tortor-adaptor.log.2, /lorem/ipsum/dolor/sit/tortor-adaptor.log.3")?

Labels (1)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

Make sure you are running both searches in the same time range.

Otherwise, I don't see any reason for them to show different results.

 

how can I search for all the increments of the source if I know what it is?

* You can use the search with metadata command.

* But you generally don't need it because Splunk will always monitor tortor-adaptor.log file not the rolled over filed (tortor-adaptor.log.1, tortor-adaptor.log.2, etc)

* So when you start logging for the first time only at that time it will monitor rolled-over files.

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Make sure you are running both searches in the same time range.

Otherwise, I don't see any reason for them to show different results.

 

how can I search for all the increments of the source if I know what it is?

* You can use the search with metadata command.

* But you generally don't need it because Splunk will always monitor tortor-adaptor.log file not the rolled over filed (tortor-adaptor.log.1, tortor-adaptor.log.2, etc)

* So when you start logging for the first time only at that time it will monitor rolled-over files.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...