Splunk Search

Unable to specify more than 4 index="" strings in a metadata search. Is it possible, or is there another alternative?

New Member

I have a requirement where I need to have only a specific index and that index string appends dynamically which will have more than 4 indexes as below:

|metadata type=sources index="100*" OR index="105*" OR index="106*" OR index="203*" OR index="408*" OR index="f" OR index="g" 

problem here is If I add more than 4 indexes in the metadata search, it's not getting executed and says "No result found". I need to overcome this. Any alternative way to add more indexes in a metadata search?

Note: I need to have only specific index not like index="*"

Appreciate in advance for the help!

Thanks

0 Karma

SplunkTrust
SplunkTrust

See if my answer here helps:

https://answers.splunk.com/answers/399972/how-to-edit-my-typehost-metadata-search-to-exclude.html

 | rest /services/data/indexes 
 | rename title as indexname
 | search indexname = A OR indexname = B OR indexname = C OR indexname = D ...
 | table indexname
 | map maxsearches=99 search=" | metadata type=sources index=\"$indexname$\" | eval index=\"$indexname$\" " 
0 Karma