Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Metasearch and Rawdata is required...

kryzew
Explorer
‎12-25-2019 06:20 AM

Hi,

I' cant end my search using metasearch when I need to find in index something with space betwen like "Microsoft Update". There is no problem to find there one word aplikaction like below:

|metasearch index=my_index ("onewordaplikaction")

When I try:

|metasearch index=my_index ("twoword aplikaction")

I get error:

Streamed search execute failed because: Error in 'metalitsearch' command: Invalid metasearch. Rawdata is required for this search..

Is there any way to find by metasearch something like "Microsoft Update" or "Update"? Or is just metasearch limit?

BR,

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎12-28-2019 03:21 PM

You can do it like this:

| tstats count max(_time) AS _time WHERE index="my_index" AND (TERM("onewordaplikaction") OR (TERM("twoword") AND TERM("aplikaction")))
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-25-2019 11:48 PM

Hi @kryzew,
with | metasearch you can use only few fields (index, sourcetype, source, host), and you cannot use raw data for text search.
I understand that | metasearch is faster than a normal way, but you cannot use it if you need a text search.
If you don't need other fields, but only raw data, you can use the Fast Search Mode.

Ciao.
Giuseppe

0 Karma
Reply

kryzew
Explorer
‎12-28-2019 09:03 AM

Hi,
@kamlesh_vaghela
I tired on this way but its don't work.
When I used "Update" or "Microsoft" I can't find field named "Microsoft Update" im metasearch.
I use "*Update" don't work too.

@gcusello I can't explain, but I can find more than splunk doc say about metasearch.

I compare normal search and metasearch, and I have same results, mean time when something hapen.

But, I can't show on table more than fields like index, host, source, sourcetype like splunk doc say.

BR,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-29-2019 03:07 AM

Hi @kryzew,
as I said using metasearch you have only few fields and you cannot use rawdata for text search.

Comparing metasearch and normal search (using Verbose Mode) you have the same number of results only if in your search you're using index, sourcetype, source or host, and anyway with metasearch you haven't the rawdata.
Then you cannot have the same results if you want to use another field or a text search.

Whay do you want to use metasearch? what's your need?

Ciao and Happy New Year.
Giuseppe

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-25-2019 09:47 AM

@kryzew

Have you tried these?

|metasearch index=my_index "Microsoft"

OR

|metasearch index=my_index "Update"

OR

|metasearch index=my_index "Microsoft" "Update"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...