Solved: help for requesting on many sourcetype

jip31 · ‎09-02-2021

Hello

I have to search events on many sourcetype with name begin by "ezop:web"

So I use a wildcard after "ezop:web*"

index="tutu" sourcetype=ezop:web*

Is it the good practice or is it better to do somethin like this :

(sourcetype=ezop:web1 OR sourcetype=ezop:web2 OR sourcetype=ezop:web3)

Or pearhaps something else?

Thanks

isoutamo · ‎09-02-2021

Hi

In personally I use the 1st one in most cases. To be sure which one is best for your particular cases I propose you to check with Job Inspector the costs of different versions. This could be different based on cardinality of sourcetypes and amount of your events you have.

Of course if you have ST likes ezop:web1 .... ezop:web9999 then it's better to use 2nd one or sourcetype IN (ezop:web1, ezop:web2, ezop:web3). But as I said, you should use Job Inspector to check which one is best in which case.

r. Ismo

View solution in original post

isoutamo · ‎09-02-2021

Hi

In personally I use the 1st one in most cases. To be sure which one is best for your particular cases I propose you to check with Job Inspector the costs of different versions. This could be different based on cardinality of sourcetypes and amount of your events you have.

Of course if you have ST likes ezop:web1 .... ezop:web9999 then it's better to use 2nd one or sourcetype IN (ezop:web1, ezop:web2, ezop:web3). But as I said, you should use Job Inspector to check which one is best in which case.

r. Ismo

help for requesting on many sourcetype

other

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!