Splunk Search

Unable to specify more than 4 index="" strings in a metadata search. Is it possible, or is there another alternative?

bsellapi
New Member

I have a requirement where I need to have only a specific index and that index string appends dynamically which will have more than 4 indexes as below:

|metadata type=sources index="100*" OR index="105*" OR index="106*" OR index="203*" OR index="408*" OR index="f" OR index="g" 

problem here is If I add more than 4 indexes in the metadata search, it's not getting executed and says "No result found". I need to overcome this. Any alternative way to add more indexes in a metadata search?

Note: I need to have only specific index not like index="*"

Appreciate in advance for the help!

Thanks

0 Karma

javiergn
SplunkTrust
SplunkTrust

See if my answer here helps:

https://answers.splunk.com/answers/399972/how-to-edit-my-typehost-metadata-search-to-exclude.html

 | rest /services/data/indexes 
 | rename title as indexname
 | search indexname = A OR indexname = B OR indexname = C OR indexname = D ...
 | table indexname
 | map maxsearches=99 search=" | metadata type=sources index=\"$indexname$\" | eval index=\"$indexname$\" " 
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...