Search by source name in virtual index does not sh...

sdaruna · ‎01-18-2016

Hi,

i need to get the raw data of file based on source file name. For that i have used below query.

source="xml_file_1.xml" | table _raw

This is giving results only for local indexes, but not the virtual indexes.
I tried below queries as well,

index ="hdfs_index" | search source="xml_file_1.xml" | table _raw
index ="hdfs_index" WHERE source="xml_file_1.xml" | table _raw

But, none has given results.
What went wrong.

Is there a way that i can match the source file name.?

javiergn · ‎01-18-2016

What about the following using a wildcard for your source?

index ="hdfs_index" source="*xml_file_1.xml" | table _raw

Apologies if I'm missing something here.

sdaruna · ‎01-18-2016

In fact, i missed a point here. The source will be name in virtual indexes will have full path.

I tried below one and worked.

index="hdfs_index" | eval source = replace(source, ".*/", "") | search source="xml_file_0.xml" | table _raw

Search by source name in virtual index does not show results