Solved: Re: retrieve indexes from splunk.log

tay · ‎03-25-2024

Hello splunk community,

I have this query but I would also like to retrieve the index to which the sourcetype belongs

index=_internal splunk_server=* source=*splunkd.log* sourcetype=splunkd
(component=AggregatorMiningProcessor OR component=LineBreakingProcessor OR component=DateParserVerbose OR component=MetricSchemaProcessor OR component=MetricsProcessor) (log_level=WARN OR log_level=ERROR OR log_level=FATAL)
| rex field=event_message "\d*\|(?<st>[\w\d:-]*)\|\d*"
| eval data_sourcetype=coalesce(data_sourcetype, st)
| rename data_sourcetype as sourcetype
| table sourcetype event_message component thread_name _time _raw
| stats first(event_message) as event_message by sourcetype component

any ideas ?
thx in advance

richgalloway · ‎03-25-2024

I try to avoid join where possible, but I can't make this query work without it. See if this helps you.

index=_internal splunk_server=* source=*splunkd.log* sourcetype=splunkd
(component=AggregatorMiningProcessor OR component=LineBreakingProcessor OR component=DateParserVerbose OR component=MetricSchemaProcessor OR component=MetricsProcessor) (log_level=WARN OR log_level=ERROR OR log_level=FATAL)
| rex field=event_message "\d*\|(?<st>[\w\d:-]*)\|\d*"
| eval data_sourcetype=coalesce(data_sourcetype, st)
| rename data_sourcetype as sourcetype
| fields sourcetype event_message component
| join sourcetype [| tstats count where index=* by sourcetype, index 
  | fields - count ]
| table sourcetype component event_message index

---
If this reply helps you, Karma would be appreciated.

View solution in original post

tay · ‎03-26-2024

Thanks, even if the query consumes a lot, but it works

richgalloway · ‎03-25-2024

You can't retrieve the index from the log if it isn't there, which is the case for these events. You'll have to search for the index by sourcetype.

| tstats count where index=* sourcetype=data_sourcetype
| fields - count

---
If this reply helps you, Karma would be appreciated.

tay · ‎03-25-2024

This is precisely my problem, I have to start from this command and therefore retrieve the index elsewhere... but then what happens if the indexes have sourcetype names in common?

richgalloway · ‎03-25-2024

Nothing "happens". It's legitimate for a sourcetype to be present in more than one index. It may complicate your query, though.

---
If this reply helps you, Karma would be appreciated.

tay · ‎03-25-2024

so if I do a "join" with your query, the correct index will be associated with the sourcetype?

richgalloway · ‎03-25-2024

I try to avoid join where possible, but I can't make this query work without it. See if this helps you.

index=_internal splunk_server=* source=*splunkd.log* sourcetype=splunkd
(component=AggregatorMiningProcessor OR component=LineBreakingProcessor OR component=DateParserVerbose OR component=MetricSchemaProcessor OR component=MetricsProcessor) (log_level=WARN OR log_level=ERROR OR log_level=FATAL)
| rex field=event_message "\d*\|(?<st>[\w\d:-]*)\|\d*"
| eval data_sourcetype=coalesce(data_sourcetype, st)
| rename data_sourcetype as sourcetype
| fields sourcetype event_message component
| join sourcetype [| tstats count where index=* by sourcetype, index 
  | fields - count ]
| table sourcetype component event_message index

---
If this reply helps you, Karma would be appreciated.

PickleRick · ‎03-25-2024

Probably append with some stats values() would do the trick similarily to join.

retrieve indexes from splunk.log

index

sourcetype

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio