Splunk Enterprise

what is the quickest way to list files that exit on index

mehrdad_2000
Builder

what is the quickest way to list files that exit on index.
I am use this spl command usually but it take long time specially if index size is huge!
index="my-index" | dedup source | table source

any idea?
Thanks

Tags (2)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mehrdad_2000 

Can you please try this?

| metadata type=sources index=main

 

Refer for this more info:

https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Metadata

 Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mehrdad_2000 

Can you please try this?

| metadata type=sources index=main

 

Refer for this more info:

https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Metadata

 Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

mehrdad_2000
Builder

Thank you it work,

is possible to do this:

Here is my source column,
/data/product1/customer1/20210628/log.SRV21.20210622.bz2
/data/product2/customer2/20210628/log.dlbranch1.20210628.bz2
...

is it possible to populate these fields from source on dashboard?
servername= SRV21
servername= dlbranch1


product= product1
product= product2

customer= customer1
customer= customer2

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mehrdad_2000 

Can you please try this?

YOUR_SEARCH_WITH_COLUMN_FIELD
| rex field=source "\/data\/(?<product>\w+)\/(?<customer>\w+)\/.*\/log\.(?<servername>\w+)."
| table source servername product customer

 

My Sample Search :

| makeresults | eval _raw="source
/data/product1/customer1/20210628/log.SRV21.20210622.bz2
/data/product2/customer2/20210628/log.dlbranch1.20210628.bz2
" | multikv forceheader=1
| rex field=source "\/data\/(?<product>\w+)\/(?<customer>\w+)\/.*\/log\.(?<servername>\w+)."
| table source servername product customer

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
 

0 Karma

mehrdad_2000
Builder

Thanks it work

but i want to populate/query it on dashboard and below spl not work, when i add this part “search SRV18” no result return. But when remove this part return all source and servername

| metadata type=sources index="main" earliest=1 | dedup source | rex field=source "\/.*\/log\.(?<servername>\w+)."  | search "SRV18"
| table source servername


any idea?

 

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mehrdad_2000 

It should work like this.

| makeresults | eval _raw="source
/data/product1/customer1/20210628/log.SRV21.20210622.bz2
/data/product2/customer2/20210628/log.dlbranch1.20210628.bz2
" | multikv forceheader=1
| rex field=source "\/data\/(?<product>\w+)\/(?<customer>\w+)\/.*\/log\.(?<servername>\w+)."
| table source servername product customer
| search servername="SRV21"

 

Can you please share source which contain SRV18 as server name ?

KV

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!