Hi
I have a search that needs to search in several indexes ending with several words, ex:
index=stuff-xxx or index=stuff-yyy or index=stuff-zzz ...
but these xxx, yyy and zzz 'words' are more than 20 and counting, so is there a way to do something like this?:
index=stuff-(xxx|yyy|zzz)
Note: do not suggest a star/asterisk wildcard, I need to ignore everything else, I don't need indexes like stuff-aaa.
Thanks!
create a macro maybe?
(index = stuff-xxx OR index = stuff-yyy OR index = stuff-zzz OR index = stuff-xyz)
save it and name it as you please.
now search myMacro ... rest of search
docs article here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Knowledge/Definesearchmacros
hope it helps
Try this
eventtypes.conf
[stuff_index]
search = index=stuff-xxx OR index=stuff-yyy ...
Search query :
eventtype="stuff_index" .....
Try like this
[| gentimes start=-1 | eval index="xxx yyy zzz ppp qqq...all other separated by space" | table index | makemv index | mxpand index | eval index="stuff-".index ] ...rest of the search
The subsearch will dynamically generate that OR list for you, so you just need to add the keyword in the eval index="xxx...
part.
create a macro maybe?
(index = stuff-xxx OR index = stuff-yyy OR index = stuff-zzz OR index = stuff-xyz)
save it and name it as you please.
now search myMacro ... rest of search
docs article here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Knowledge/Definesearchmacros
hope it helps
Yes, this way i can use the macro in several reports and stuff..
Thanks!