Getting Data In

Metadata and tstats give different sources: How do I get the list of sources based on the tstats result?

yaharga
Path Finder

I have two search queries:

| metadata index=* type=sources

that results in something like the following (under the source field)

/lorem/ipsum/dolor/sit/tortor-adaptor.log
/lorem/ipsum/dolor/sit/tortor-adaptor.log.1
/lorem/ipsum/dolor/sit/tortor-adaptor.log.10
/lorem/ipsum/dolor/sit/tortor-adaptor.log.11
/lorem/ipsum/dolor/sit/tortor-adaptor.log.12
/lorem/ipsum/dolor/sit/tortor-adaptor.log.13
/lorem/ipsum/dolor/sit/tortor-adaptor.log.14
/lorem/ipsum/dolor/sit/tortor-adaptor.log.15

 then there's the following search

| tstats values(source) where index=*

that produces something like the following (under the values(source) field)

/lorem/ipsum/dolor/sit/tortor-adaptor.log
/lorem/ipsum/nunc-test.log.1
/lorem/ipsum/dolor/sit/pulvinar/ex-eros.log
/comsed/ipsum/dolor/ut-eget.log
/donec/sit/nam-libero.log.1
/aliquet/ipsum/dolor/sit/vel-arcu.log

 

Why is Splunk showing me different results?

Also, how can I search for all the increments of the source if I know what it is? For example, if I have "/lorem/ipsum/dolor/sit/tortor-adaptor.log" how can I find all of its increments (e.g. "/lorem/ipsum/dolor/sit/tortor-adaptor.log.1, /lorem/ipsum/dolor/sit/tortor-adaptor.log.2, /lorem/ipsum/dolor/sit/tortor-adaptor.log.3")?

Labels (1)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

Make sure you are running both searches in the same time range.

Otherwise, I don't see any reason for them to show different results.

 

how can I search for all the increments of the source if I know what it is?

* You can use the search with metadata command.

* But you generally don't need it because Splunk will always monitor tortor-adaptor.log file not the rolled over filed (tortor-adaptor.log.1, tortor-adaptor.log.2, etc)

* So when you start logging for the first time only at that time it will monitor rolled-over files.

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Make sure you are running both searches in the same time range.

Otherwise, I don't see any reason for them to show different results.

 

how can I search for all the increments of the source if I know what it is?

* You can use the search with metadata command.

* But you generally don't need it because Splunk will always monitor tortor-adaptor.log file not the rolled over filed (tortor-adaptor.log.1, tortor-adaptor.log.2, etc)

* So when you start logging for the first time only at that time it will monitor rolled-over files.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...