Splunk Search

Is it possible to include metadata in keyword searches?

hulahoop
Splunk Employee
Splunk Employee

It is a subtlety of the search language that keyword searches run against the raw event data only. To search metadata fields like host, source, sourcetype, one would use the host=/source=/sourcetype= field modifiers. Is there a toggle to enable keyword searches to execute on metadata?

For example, take the following event:

Wed Mar 3 19:04:51 2010 action=update, path="/etc/hosts", isdir=0, size=236, gid=0, uid=0, modtime="Tue Mar 2 11:51:00 2010", mode="rw-r--r--", hash=, chgs="modtime "

The metadata associated with this event is host=myhost, source=fschangemonitor, sourcetype=fs_notification.

If you wanted to find all the fschange events from this host, you couldn't simply type in myhost in the search bar. You need to use host=myhost.

Is it possible to change the default search behavior so that a search on myhost would find these events?

Tags (2)
1 Solution

jrodman
Splunk Employee
Splunk Employee

unqualified strings search against the event text.

This probably deserves an exploration of the use case and so on in a support conversation. You don't really want all keywords to always search all indexed fields.

If you wanted to get this result today, you would have to arrange for the event text to contain the hostname.

View solution in original post

jrodman
Splunk Employee
Splunk Employee

unqualified strings search against the event text.

This probably deserves an exploration of the use case and so on in a support conversation. You don't really want all keywords to always search all indexed fields.

If you wanted to get this result today, you would have to arrange for the event text to contain the hostname.

hulahoop
Splunk Employee
Splunk Employee

Or it would be nice if we could specify which metadata fields are searchable along with event text. For this use case it would be just host.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...