Solved: Re: How to edit my search to match indexes ending ...

ribeiror · ‎06-26-2017

Hi

I have a search that needs to search in several indexes ending with several words, ex:

index=stuff-xxx or index=stuff-yyy or index=stuff-zzz ...

but these xxx, yyy and zzz 'words' are more than 20 and counting, so is there a way to do something like this?:

index=stuff-(xxx|yyy|zzz)

Note: do not suggest a star/asterisk wildcard, I need to ignore everything else, I don't need indexes like stuff-aaa.

Thanks!

adonio · ‎06-26-2017

create a macro maybe?
(index = stuff-xxx OR index = stuff-yyy OR index = stuff-zzz OR index = stuff-xyz)
save it and name it as you please.
now search myMacro ... rest of search
docs article here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Knowledge/Definesearchmacros
hope it helps

View solution in original post

sbbadri · ‎06-30-2017

Try this

eventtypes.conf

[stuff_index]
search = index=stuff-xxx OR index=stuff-yyy ...

Search query :
eventtype="stuff_index" .....

somesoni2 · ‎06-26-2017

Try like this

[| gentimes start=-1 | eval index="xxx yyy zzz ppp qqq...all other separated by space" | table index | makemv index | mxpand index | eval index="stuff-".index ] ...rest of the search

The subsearch will dynamically generate that OR list for you, so you just need to add the keyword in the eval index="xxx... part.

adonio · ‎06-26-2017

create a macro maybe?
(index = stuff-xxx OR index = stuff-yyy OR index = stuff-zzz OR index = stuff-xyz)
save it and name it as you please.
now search myMacro ... rest of search
docs article here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Knowledge/Definesearchmacros
hope it helps

ribeiror · ‎06-30-2017

Yes, this way i can use the macro in several reports and stuff..
Thanks!

How to edit my search to match indexes ending with a set of values?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio