Is there a way to not do expansion of sourcetype?

fredclown · ‎05-31-2022

I execute a search with this ...

index=foo sourcetype=wineventlog field=value ...

In the search.log I am seeing a line that says ...

INFO  SearchEvaluatorBasedExpander -  sourcetype expansions took 32 ms

and after that I see ...

INFO  UnifiedSearch - Expanded index search = (index=foo sourcetype=wineventlog OR sourcetype=WinEventLog:Application OR sourcetype=WinEventLog:DFS-Replication OR sourcetype=WinEventLog:DNS-Server OR sourcetype=WinEventLog:Directory-Service OR sourcetype=WinEventLog:File-Replication-Service OR sourcetype=WinEventLog:Key-Management-Service ...

Is there a way to not do expansion of sourcetype? It still works, but it is encompassing more data than needs to be searched over and is inefficient.

fredclown · ‎06-23-2022

It looks to me like it has to do with field aliases. Which is odd I think. The field I am using is an alias for some other fields in other sourcetypes ... but not in the sourcetype I am specifying. In that sourcetype that is indeed the field name. I could be wrong, but that is what it looks like to me. Anyone have thoughts on this? I would think that if I explicitly specify a sourcetype then that would be all that is used.

Is there a way to not do expansion of sourcetype?

search job inspector

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Is there a way to not do expansion of sourcetype?

search job inspector

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey