Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search multiple sources within my search?

andreacorrie
Explorer
‎09-13-2016 03:12 PM

How do I search multiple source files within my search? I want to do something like:

source="/foo/bar/2016/09/{08,15}/*.avro"

or

source="/foo/bar/2016/09/[08-30]/*.avro"

but neither syntax returns results.

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎09-19-2016 02:08 PM

This should work

index=foo sourcetype=bar [| gentimes start=-1 | eval t=mvrange(8,30+1) | table t | mvexpand t | eval source="/foo/bar/2016/09/".substr("0".t,-2) | table source] | .... rest of the search

The subsearch is generating a series of sources from "/foo/bar/2016/09/08" to "/foo/bar/2016/09/30" in a giant OR statement ( source="/foo/bar/2016/09/08" OR source="/foo/bar/2016/09/09"...OR "/foo/bar/2016/09/30")

0 Karma
Reply

sundareshr
Legend
‎09-19-2016 01:58 PM

Try this

base search | regex source="\/\d{2}\/(0[8-9]|1[0-5])\/"
0 Karma
Reply

pasokkum
Path Finder
‎09-18-2016 11:30 PM

try this..

alt text

ans.png
Preview file
4 KB
0 Karma
Reply

andreacorrie
Explorer
‎09-19-2016 01:26 PM

This will work but again, it doesn't scale for more than a few days. I'm looking for a solution that I can search 30 days, for example.

0 Karma
Reply

kschon_splunk
Splunk Employee
Splunk Employee
‎09-13-2016 03:57 PM

In the example you are using, I would suggest extracting the _time variable from your path, and then restricting your query by time (e.g. using the graphical time range picker). There is more information here:
https://docs.splunk.com/Documentation/Hunk/6.4.3/Hunk/Virtualindexconfigurationvariables

In particular, look at these properties:

vix.input.[N].et.regex
vix.input.[N].et.format
vix.input.[N].lt.regex
vix.input.[N].lt.format

If you want to query on something other than time, you can extract additional variables from the path as well, using the property "vix.input.1.path". You can see some examples here:
https://docs.splunk.com/Documentation/Hunk/6.4.3/Hunk/Setupavirtualindex

That should simplify your queries somewhat, since you won't have to simultaneously specify the values you're looking for, and where to find them in the path.

Reply

skoelpin
SplunkTrust
SplunkTrust
‎09-13-2016 03:15 PM

You could do source=* or you could do source="/foo/bar/2016/09/{08,09}/*.avro" OR source="/foo/bar/2016/09/[08-09]/*.avro"

0 Karma
Reply

andreacorrie
Explorer
‎09-13-2016 03:19 PM

In my example, I want to search the 8th or the 9th. I'm using syntax you would use in Apache Pig to specify multiple days. Yes, I could use source = source="/foo/bar/2016/09/08/*.avro OR source="/foo/bar/2016/09/09/*.avro but this doesn't scale if you want to search more than a couple days.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎09-13-2016 03:28 PM

Ahh I see.. You want to have the ability to scale your searches relative to the date which is a dynamic value. Are the days in your source offset from the current day or do they match up to the current date?

I'm assuming with this, you want to search the data from that source that is from Sept 8 and Spet 9th?

source="/foo/bar/2016/09/{08,09}/*.avro"

0 Karma
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
Top