Hi,
I need to fetch the details of all the eventtypes and their source through a search. I use the search below, but it takes a very long time to complete a search (say more than 30 mins). Is there any effective way to improve the speed of my search? The search I am using is:
eventtype=* | dedup eventtype| table eventtype, source | sort eventtype
Hi SridharS,
Yes there is. You can call the REST endpoint for the eventtypes.conf
and display them using this REST search:
| rest /services/configs/conf-eventtypes | rex field=id "(?<EventType>[^/]+$)" | rex field=search "(?<Source>source=.+)" | table EventType Source
Maybe you need to adapt the rex
for the Source
field, but it should give you a fester search to start with.
cheers, MuS
This gave me the exact result what i was looking for
| rest /services/configs/conf-eventtypes | table title search | rex field=search "(?source=.+)" | rename title as EventType | dedup EventType | table EventType search
Hi SridharS,
Yes there is. You can call the REST endpoint for the eventtypes.conf
and display them using this REST search:
| rest /services/configs/conf-eventtypes | rex field=id "(?<EventType>[^/]+$)" | rex field=search "(?<Source>source=.+)" | table EventType Source
Maybe you need to adapt the rex
for the Source
field, but it should give you a fester search to start with.
cheers, MuS
Hi MuS, This is what I was actually looking for. On the other hand i have some eventtype names with space inbetween. I tried changing the above query for this, but I did not get through. My eventtype has a-z, 0-9 and - minus symbols. And also when I do the above query due to space error am not able to view source.
This should get you what you want.
| rest /services/configs/conf-eventtypes | table title search | rex field=search "(?<Source>source=.+)" | rename title as EventType | table EventType Source
That was perfect. I got the eventtype list exactly(without space concern). But I am not sure why the source miss again. When I did a normal search query i got all the source path, but here am just getting "/splunkd_access.log OR source=\\splunkd_access.log" as source path for 6 or 7 events, the rest 190+ eventtypes not displaying source.
This REST search will return your eventtype definition and does not run any eventtype searches, that's why you will only get a source
string, if the eventtype definition contains a source
string.