Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to specify more than 4 index="" strings in a metadata search. Is it possible, or is there another alternative?

bsellapi
New Member
‎06-15-2016 12:09 AM

I have a requirement where I need to have only a specific index and that index string appends dynamically which will have more than 4 indexes as below:

|metadata type=sources index="100*" OR index="105*" OR index="106*" OR index="203*" OR index="408*" OR index="f" OR index="g"

problem here is If I add more than 4 indexes in the metadata search, it's not getting executed and says "No result found". I need to overcome this. Any alternative way to add more indexes in a metadata search?

Note: I need to have only specific index not like index="*"

Appreciate in advance for the help!

Thanks

0 Karma
Reply

javiergn
Super Champion
‎06-15-2016 04:29 AM

See if my answer here helps:

https://answers.splunk.com/answers/399972/how-to-edit-my-typehost-metadata-search-to-exclude.html

 | rest /services/data/indexes 
 | rename title as indexname
 | search indexname = A OR indexname = B OR indexname = C OR indexname = D ...
 | table indexname
 | map maxsearches=99 search=" | metadata type=sources index=\"$indexname$\" | eval index=\"$indexname$\" "
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...