Hi,
I need to perform a search on forwarder data from the _internal
index, but I need to exclude my indexers from that search.
I know I can get the indexers list by many ways, for example:
index=_internal source="*metrics.log" group=instance instance_roles="*indexer*"
| table host
| dedup host
But how can I use the list to dynamically exclude the hosts from my other _internal
search?
Hi eden881,
you can exclude the indexers with this SPL example:
index=_internal NOT
[| tstats count WHERE index=_internal sourcetype=splunkd TERM(metrics) TERM(instance) TERM(indexer) by host
| table host
| format ]
The tstats
sub search will return a list like ( ( host=1 ) OR ( host=2 ) ... )
that will be excluded from the main search.
Hope this helps ...
cheers, MuS
Hi eden881,
you can exclude the indexers with this SPL example:
index=_internal NOT
[| tstats count WHERE index=_internal sourcetype=splunkd TERM(metrics) TERM(instance) TERM(indexer) by host
| table host
| format ]
The tstats
sub search will return a list like ( ( host=1 ) OR ( host=2 ) ... )
that will be excluded from the main search.
Hope this helps ...
cheers, MuS
Thanks! It works well.