Splunk Search

Is there any way to prevent additional sourcetypes from being added to the normalized search?

khevans
Path Finder

I'm running a search and I've noticed that there are a ton of additional sourcetypes (like f5_bigip:, pan:, WMI:*) being added into my search. I assume this has something to do with CIM compliance by our Splunk admins.

Is there any way that I can prevent these additional sourcetypes from being added to my search? I do not have administrative permissions, so is there something that I can add into my search query?

My search has nothing to do with those sourcetypes and my index does not contain data that's relevant to that. I am worried that it may degrade the performance of my query, which is sparse and already a bit slow.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!