Hi, I'm looking for a way to run one summary index search on all files of the same sourcetype, and then identify individual files by defining characteristics. For example, a sample log output is:
222 Mon Jun 16 07:00:47 EDT 2014 13384426 2 PS MarkSweep 0 0.0 0 0.0 519045120 524288000 519045120 119919880
and I know that every log from this file will contain either "PS MarkSweep" or "PS Scavenge" in the same position, which in this case is rex field | rex "(?i)^(?:[^ ]* ){5}\\d+\\t\\d+\\t\\d+\\t(?P<FIELDNAME>[^\\t]+)" |
. How can I run the search returning results only where FIELDNAME is "PS MarkSweep" or "PS Scavenge"? Thank you!!
Not sure if I understand the question correctly, but I'd do this:
PS MarkSweep OR Scavenge | rex "(?i)^(?:[^ ]* ){5}\\d+\\t\\d+\\t\\d+\\t(?P<FIELDNAME>[^\\t]+)" | search FIELDNAME="PS MarkSweep" OR FIELDNAME="PS Scavenge"
Note, the bit in the front is for performance gain - that way Splunk will only load events off disk if they contain those words. Consider adding the field extraction to the sourcetype in props.conf.
Aha Its the search
command I was looking for, thanks @martin_mueller 🙂