Splunk Search

How to edit my search to match indexes ending with a set of values?

ribeiror
Engager

Hi

I have a search that needs to search in several indexes ending with several words, ex:

index=stuff-xxx or index=stuff-yyy or index=stuff-zzz ...

but these xxx, yyy and zzz 'words' are more than 20 and counting, so is there a way to do something like this?:

index=stuff-(xxx|yyy|zzz)

Note: do not suggest a star/asterisk wildcard, I need to ignore everything else, I don't need indexes like stuff-aaa.

Thanks!

0 Karma
1 Solution

adonio
Ultra Champion

create a macro maybe?
(index = stuff-xxx OR index = stuff-yyy OR index = stuff-zzz OR index = stuff-xyz)
save it and name it as you please.
now search myMacro ... rest of search
docs article here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Knowledge/Definesearchmacros
hope it helps

View solution in original post

sbbadri
Motivator

Try this

eventtypes.conf

[stuff_index]
search = index=stuff-xxx OR index=stuff-yyy ...

Search query :
eventtype="stuff_index" .....

somesoni2
SplunkTrust
SplunkTrust

Try like this

[| gentimes start=-1 | eval index="xxx yyy zzz ppp qqq...all other separated by space" | table index | makemv index | mxpand index | eval index="stuff-".index ] ...rest of the search

The subsearch will dynamically generate that OR list for you, so you just need to add the keyword in the eval index="xxx... part.

adonio
Ultra Champion

create a macro maybe?
(index = stuff-xxx OR index = stuff-yyy OR index = stuff-zzz OR index = stuff-xyz)
save it and name it as you please.
now search myMacro ... rest of search
docs article here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Knowledge/Definesearchmacros
hope it helps

ribeiror
Engager

Yes, this way i can use the macro in several reports and stuff..
Thanks!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...