Im not sure what i am doing wrong... I read the documentation and googled and cannot seem to figure it out.
Im using Splunk 4.1. If i want to search for specific keyword in specified sourcetype using the web interface, i type the following into the search bar:
keyword_abc sourcetype=sourcetype_123
This gives correct results - i see log entries from sourcetype_123 that mention keyword_abc.
Transforming this to a CLI via SSH, i have:
ssh username@sp.lu.nk.ser /opt/splunk/bin/splunk dispatch 'keyword_abc sourcetype=sourcetype_123' -output csv -auth user:pass
This gives me ALL matches of keyword_abc on all sourcetypes. If i switch the dispatch text around to
dispatch 'sourcetype=sourcetype_123 keyword_abc'
i get ALL (top 100) lines from sourcetype_123 which may or may not include keyword_abc.
I tried changing dispatch to search. I tried adding AND and + between source and keyword. I dont know what else to do to get specific keyword in specified sourcetype. Please help!
... View more