I have a requirement where I need to have only a specific index and that index string appends dynamically which will have more than 4 indexes as below:
|metadata type=sources index="100*" OR index="105*" OR index="106*" OR index="203*" OR index="408*" OR index="f" OR index="g"
problem here is If I add more than 4 indexes in the metadata search, it's not getting executed and says "No result found". I need to overcome this. Any alternative way to add more indexes in a metadata search?
Note: I need to have only specific index not like index="*"
Appreciate in advance for the help!
Thanks
See if my answer here helps:
https://answers.splunk.com/answers/399972/how-to-edit-my-typehost-metadata-search-to-exclude.html
| rest /services/data/indexes
| rename title as indexname
| search indexname = A OR indexname = B OR indexname = C OR indexname = D ...
| table indexname
| map maxsearches=99 search=" | metadata type=sources index=\"$indexname$\" | eval index=\"$indexname$\" "