Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to pull events with multiple sourcetype
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am searching events with specific multiple sourcetype, but getting extra sourcetype.Kindly refer attached file.
Am searching sourcetype=splunkd OR sourcetype=splunkd_access
index="_internal" sourcetype=splunkd OR sourcetype=splunkd_access OR component=root OR component=Metrics | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count by sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is due to the OR condition you have in your search query.
index="_internal" sourcetype="splunkd" OR sourcetype="splunkd_access" OR component=root OR component=Metrics | rest of the search
It will bring all records which satisfies anyone of the condition, and when a record is found with "component=root" it is of sourcetype splunk_web_service.
So, if you don't want records from a particular sourcetype you can either filter that out using where clause or you can update your search to have AND condition as shown in the below command,
index="_internal" sourcetype="splunkd" OR sourcetype="splunkd_access" AND (component=root OR component=Metrics) |rest of the search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm agree with @whrg.
In my opinion, I think the boolean operators ( AND, OR, NOT) command should be included in "( )" such as index="_internal" (sourcetype=splunkd OR sourcetype=splunkd_access) (component=root OR component=Metric)
When you are using command "search" without any boolean operators, splunk will fill an AND between the search conditions. For example, index=_internal sourcetype=splunkd is equals that index=_internal AND sourcetype=splunkd.
In your case, sourcetype=* and component=* are not conflicting conditions so maybe you should better to use AND or nothing between them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is due to the OR condition you have in your search query.
index="_internal" sourcetype="splunkd" OR sourcetype="splunkd_access" OR component=root OR component=Metrics | rest of the search
It will bring all records which satisfies anyone of the condition, and when a record is found with "component=root" it is of sourcetype splunk_web_service.
So, if you don't want records from a particular sourcetype you can either filter that out using where clause or you can update your search to have AND condition as shown in the below command,
index="_internal" sourcetype="splunkd" OR sourcetype="splunkd_access" AND (component=root OR component=Metrics) |rest of the search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you have too many "OR"s.
Try this:
index="_internal" sourcetype=splunkd OR sourcetype=splunkd_access component=root OR component=Metrics | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count by sourcetype
Written differently:
index="_internal" (sourcetype=splunkd OR sourcetype=splunkd_access) AND (component=root OR component=Metrics) | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count by sourcetype
Community Content Calendar, November Edition
October Community Champions: A Shoutout to Our Contributors!
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
