Is there a way to not do expansion of sourcetype?

fredclown · ‎05-31-2022

I execute a search with this ...

index=foo sourcetype=wineventlog field=value ...

In the search.log I am seeing a line that says ...

INFO  SearchEvaluatorBasedExpander -  sourcetype expansions took 32 ms

and after that I see ...

INFO  UnifiedSearch - Expanded index search = (index=foo sourcetype=wineventlog OR sourcetype=WinEventLog:Application OR sourcetype=WinEventLog:DFS-Replication OR sourcetype=WinEventLog:DNS-Server OR sourcetype=WinEventLog:Directory-Service OR sourcetype=WinEventLog:File-Replication-Service OR sourcetype=WinEventLog:Key-Management-Service ...

Is there a way to not do expansion of sourcetype? It still works, but it is encompassing more data than needs to be searched over and is inefficient.

fredclown · ‎06-23-2022

It looks to me like it has to do with field aliases. Which is odd I think. The field I am using is an alias for some other fields in other sourcetypes ... but not in the sourcetype I am specifying. In that sourcetype that is indeed the field name. I could be wrong, but that is what it looks like to me. Anyone have thoughts on this? I would think that if I explicitly specify a sourcetype then that would be all that is used.

Is there a way to not do expansion of sourcetype?

search job inspector

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023