Splunk Search
Highlighted

How to edit my search to match indexes ending with a set of values?

Engager

Hi

I have a search that needs to search in several indexes ending with several words, ex:

index=stuff-xxx or index=stuff-yyy or index=stuff-zzz ...

but these xxx, yyy and zzz 'words' are more than 20 and counting, so is there a way to do something like this?:

index=stuff-(xxx|yyy|zzz)

Note: do not suggest a star/asterisk wildcard, I need to ignore everything else, I don't need indexes like stuff-aaa.

Thanks!

0 Karma
Highlighted

Re: How to edit my search to match indexes ending with a set of values?

SplunkTrust
SplunkTrust

create a macro maybe?
(index = stuff-xxx OR index = stuff-yyy OR index = stuff-zzz OR index = stuff-xyz)
save it and name it as you please.
now search myMacro ... rest of search
docs article here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Knowledge/Definesearchmacros
hope it helps

View solution in original post

Highlighted

Re: How to edit my search to match indexes ending with a set of values?

Engager

Yes, this way i can use the macro in several reports and stuff..
Thanks!

0 Karma
Highlighted

Re: How to edit my search to match indexes ending with a set of values?

SplunkTrust
SplunkTrust

Try like this

[| gentimes start=-1 | eval index="xxx yyy zzz ppp qqq...all other separated by space" | table index | makemv index | mxpand index | eval index="stuff-".index ] ...rest of the search

The subsearch will dynamically generate that OR list for you, so you just need to add the keyword in the eval index="xxx... part.

Highlighted

Re: How to edit my search to match indexes ending with a set of values?

Motivator

Try this

eventtypes.conf

[stuff_index]
search = index=stuff-xxx OR index=stuff-yyy ...

Search query :
eventtype="stuff_index" .....