Solved: How do I create a query to look at multiple source...

Jennifer · ‎01-25-2022

Hi, all!

Here are the sources that I want to contain at my search:

- /appvol/wlp/DIVR01HK-AS01/applogs/appl.log

- /appvol/wlp/DIVR01HK-AS01/applogs/appl.log.1

- /appvol/wlp/DIVR01HK-AS01/applogs/appl.log.2

...

- /appvol/wlp/DIVR01HK-AS01/applogs/appl.log.50

How I could summarize those sources in a simple way in my Search command?

gcusello · ‎01-25-2022

what do you mean with summarize?

if you want to filter logs with this sources, you can use:

index=your_index source="/appvol/wlp/DIVR01HK-AS01/applogs/appl.log*"
| ...

if you want to count the number of events for each source, you could run something like this:

index=your_index source="/appvol/wlp/DIVR01HK-AS01/applogs/appl.log*"
| stats count BY source

Ciao.

Giuseppe

gcusello · ‎01-25-2022

what do you mean with summarize?

if you want to filter logs with this sources, you can use:

index=your_index source="/appvol/wlp/DIVR01HK-AS01/applogs/appl.log*"
| ...

if you want to count the number of events for each source, you could run something like this:

index=your_index source="/appvol/wlp/DIVR01HK-AS01/applogs/appl.log*"
| stats count BY source

Ciao.

Giuseppe

ITWhisperer · ‎01-25-2022

Try something like this

index=... source=/appvol/wlp/DIVR01HK-AS01/applogs/appl.log*

How do I create a query to look at multiple sources which have very similar names but with different numbers at the end?