All Apps and Add-ons

How to search for data with two source types

anandhalagarasa
Path Finder

Hi Team,

We got a requirement to ingest logs from Azure storage blob so we have installed the Splunk_TA_microsoft-cloudservices (3.1.0) version and configured the inputs for the same.

Based on that logs are getting ingested into Splunk, and during configuration, we have provided the input information for the index as "xyz" and source type as "abc".

So when we searched the data in Search & Reporting app with index as "xyz" we are able to see the data, which is in JSON format, and the logs are getting ingested with two source types.
Since the requested team were passing the logs with two source type in Splunk Cloud (i.e. "abc" and "def").
Actually, we have created the Azure Storage blob with “abc”.
So now to search the data which comes with "def" alone.
So we need the search for the same.

0 Karma

amitm05
Builder

Hi anandhalagarasan

you only need to specify the sourcetype along with your index that you want to search for
Like -
index="xyz" sourcetype = "def"

This would give you the data only from index "xyz" and sourcetype "def".

0 Karma

anandhalagarasa
Path Finder

@amitm05, Its not working as expected. I have tried it and when i search the data its picking up both of the sourcetypes so is there any specific search query which i can use to filter out only the particular sourcetype.

0 Karma

amitm05
Builder

It is not supposed to give you results from any other sourcetype when we specifically mention in the SPL which sourcetype we want to look into.
Can you paste a screenshot here of your search and results.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...