Re: spl query output mismatch

vinitpathri · ‎04-11-2020

index=_internal host=abc123 source="metrics.log" group=tcpin_connections fwdType=uf
|dedup hostname
|table hostname

i am putting hostname= xyz578(output of above query) in the below query

index=* host=abc123 "xyz578"
but not getting any output

please help me with this missing part.

richgalloway · ‎04-11-2020

index=* does not match index=_internal. You need index=_* to do that. Yeah, I know, not logical.

---
If this reply helps you, Karma would be appreciated.

vinitpathri · ‎04-16-2020

sorry but i didnt get it 😄

richgalloway · ‎04-16-2020

What did you not get?

---
If this reply helps you, Karma would be appreciated.

vinitpathri · ‎04-16-2020

index=_* should be a subset of index=*

vinitpathri · ‎04-16-2020

asterik is not visible in the comment :-?

index=_(asterik)should be a subset of index=(asterik)

richgalloway · ‎04-17-2020

Agreed, but that's not how it works with indexes and Splunk. That's what I meant by "not logical".

---
If this reply helps you, Karma would be appreciated.

spl query output mismatch