Getting Data In

Want to combine all the source types in single search result.

Path Finder

I have almost 19 different indexes, which was already mentioned in my inputs.conf file. But today I got to know that the source type are not same for the same log files which are indexing daily on the real time format. But I had perform the search result always with a single source type and created a email alert notification with it. Due to different source types are available in my log files, so lot of errors are not coming in my search result and i missed those errors.

Can anyone help me out from this problem that how can I combine all source types in a single search result and extract my important fields which will be present in all source types and create a complete search result?
Please mentioned the link also if you have.

0 Karma

SplunkTrust
SplunkTrust

Hi @saibal6,

What about

index=your index  (sourcetype="sourcetypeA" OR sourcetype="sourcetypeB" OR sourcetype="sourcetypeC" OR .....)|fields <your important fields>

Path Finder

Hi @renjith.nair,

I have already tried with your mentioned search and it's working properly.

But in my case I want to write a dynamic search result only for source types, so that I can easily monitor every source types very easily.

Can you help me on this matter?

0 Karma

SplunkTrust
SplunkTrust

Hi @saibal6,

You shall try with sourcetype=* as well and also add one of the common fields into the search as your_field=* so that it gets only those events which has this field. Hope this helps and please feel free to vote and accept the answer

0 Karma

Path Finder

Hi @renjith.nair,

I have already tried with this search result. It's working but my concern is my source types are not static. Data indexing in any source type randomly, so i need a dynamic search result for source type which will get the all source types.

Could you please give me any dynamic search result for different source types?

0 Karma

Influencer

Can you post two of your searches?

0 Karma