Splunk Search

Is there any effective way to improve the speed of my search to fetch details of all eventtypes and their source?

Path Finder

Hi,

I need to fetch the details of all the eventtypes and their source through a search. I use the search below, but it takes a very long time to complete a search (say more than 30 mins). Is there any effective way to improve the speed of my search? The search I am using is:

eventtype=* | dedup eventtype| table eventtype, source | sort eventtype 
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi SridharS,

Yes there is. You can call the REST endpoint for the eventtypes.conf and display them using this REST search:

| rest /services/configs/conf-eventtypes | rex field=id "(?<EventType>[^/]+$)" | rex field=search "(?<Source>source=.+)" | table EventType Source

Maybe you need to adapt the rex for the Source field, but it should give you a fester search to start with.

cheers, MuS

View solution in original post

Path Finder

This gave me the exact result what i was looking for

| rest /services/configs/conf-eventtypes | table title search | rex field=search "(?source=.+)" | rename title as EventType | dedup EventType | table EventType search

SplunkTrust
SplunkTrust

Hi SridharS,

Yes there is. You can call the REST endpoint for the eventtypes.conf and display them using this REST search:

| rest /services/configs/conf-eventtypes | rex field=id "(?<EventType>[^/]+$)" | rex field=search "(?<Source>source=.+)" | table EventType Source

Maybe you need to adapt the rex for the Source field, but it should give you a fester search to start with.

cheers, MuS

View solution in original post

Path Finder

Hi MuS, This is what I was actually looking for. On the other hand i have some eventtype names with space inbetween. I tried changing the above query for this, but I did not get through. My eventtype has a-z, 0-9 and - minus symbols. And also when I do the above query due to space error am not able to view source.

0 Karma

SplunkTrust
SplunkTrust

This should get you what you want.

| rest /services/configs/conf-eventtypes | table title search | rex field=search "(?<Source>source=.+)" | rename title as EventType | table EventType Source

Path Finder

That was perfect. I got the eventtype list exactly(without space concern). But I am not sure why the source miss again. When I did a normal search query i got all the source path, but here am just getting "/splunkd_access.log OR source=\\splunkd_access.log" as source path for 6 or 7 events, the rest 190+ eventtypes not displaying source.

0 Karma

SplunkTrust
SplunkTrust

This REST search will return your eventtype definition and does not run any eventtype searches, that's why you will only get a source string, if the eventtype definition contains a source string.

0 Karma