Splunk Search

How to edit my search to match indexes ending with a set of values?

ribeiror
Engager

Hi

I have a search that needs to search in several indexes ending with several words, ex:

index=stuff-xxx or index=stuff-yyy or index=stuff-zzz ...

but these xxx, yyy and zzz 'words' are more than 20 and counting, so is there a way to do something like this?:

index=stuff-(xxx|yyy|zzz)

Note: do not suggest a star/asterisk wildcard, I need to ignore everything else, I don't need indexes like stuff-aaa.

Thanks!

0 Karma
1 Solution

adonio
Ultra Champion

create a macro maybe?
(index = stuff-xxx OR index = stuff-yyy OR index = stuff-zzz OR index = stuff-xyz)
save it and name it as you please.
now search myMacro ... rest of search
docs article here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Knowledge/Definesearchmacros
hope it helps

View solution in original post

sbbadri
Motivator

Try this

eventtypes.conf

[stuff_index]
search = index=stuff-xxx OR index=stuff-yyy ...

Search query :
eventtype="stuff_index" .....

somesoni2
Revered Legend

Try like this

[| gentimes start=-1 | eval index="xxx yyy zzz ppp qqq...all other separated by space" | table index | makemv index | mxpand index | eval index="stuff-".index ] ...rest of the search

The subsearch will dynamically generate that OR list for you, so you just need to add the keyword in the eval index="xxx... part.

adonio
Ultra Champion

create a macro maybe?
(index = stuff-xxx OR index = stuff-yyy OR index = stuff-zzz OR index = stuff-xyz)
save it and name it as you please.
now search myMacro ... rest of search
docs article here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Knowledge/Definesearchmacros
hope it helps

ribeiror
Engager

Yes, this way i can use the macro in several reports and stuff..
Thanks!

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...