Solved: help for requesting on many sourcetype

jip31 · ‎09-02-2021

Hello

I have to search events on many sourcetype with name begin by "ezop:web"

So I use a wildcard after "ezop:web*"

index="tutu" sourcetype=ezop:web*

Is it the good practice or is it better to do somethin like this :

(sourcetype=ezop:web1 OR sourcetype=ezop:web2 OR sourcetype=ezop:web3)

Or pearhaps something else?

Thanks

isoutamo · ‎09-02-2021

Hi

In personally I use the 1st one in most cases. To be sure which one is best for your particular cases I propose you to check with Job Inspector the costs of different versions. This could be different based on cardinality of sourcetypes and amount of your events you have.

Of course if you have ST likes ezop:web1 .... ezop:web9999 then it's better to use 2nd one or sourcetype IN (ezop:web1, ezop:web2, ezop:web3). But as I said, you should use Job Inspector to check which one is best in which case.

r. Ismo

View solution in original post

isoutamo · ‎09-02-2021

Hi

In personally I use the 1st one in most cases. To be sure which one is best for your particular cases I propose you to check with Job Inspector the costs of different versions. This could be different based on cardinality of sourcetypes and amount of your events you have.

Of course if you have ST likes ezop:web1 .... ezop:web9999 then it's better to use 2nd one or sourcetype IN (ezop:web1, ezop:web2, ezop:web3). But as I said, you should use Job Inspector to check which one is best in which case.

r. Ismo

help for requesting on many sourcetype

other

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases