Related Answers
Download topic as PDF
indexes dataset function
Use the indexes() function to search event indexes that you have permission to access.
This function can't be used with metric indexes. However, you can use the union command to merge metric and event index datasets. See Merge datasets using the union command.
Syntax
The required syntax is in bold.
- indexes(<patterns>)
Required arguments
The required arguments for the indexes() function depends on the syntax that you use:
| Syntax | Description |
|---|---|
| indexes() | Use this syntax to search your default event indexes, such as main.
|
| indexes('*') | Use this syntax to search all of the event indexes you have access to. This syntax does not return internal indexes. |
| indexes('_*') | Use this syntax to search all of the internal event indexes you have access to. |
| indexes(<index-name>...) | Use this syntax to search specific event indexes. You must specify at least one index name. Separate multiple index names with commas. You can also name function arguments. See Examples. |
Usage
You can use this function with any generating command, such as the from, join, and union commands.
You can use a wildcard to specify similarly named indexes. You must enclose indexes specified with the asterisk wildcard in single quotation marks. See Examples.
Examples
These examples show different ways you can use the indexes function to search the event indexes you have access to.
1. Retrieve data from your default indexes
| FROM indexes()
2. Retrieve data from all of the indexes you have access to
When you specify a wildcard, you must enclose the asterisk in single quotation marks.
| FROM indexes('*')
3. Retrieve data from a group of similarly named indexes
When you specify a set of indexes using a wildcard, you must enclose the name and wildcard in single quotation marks.
| FROM indexes('data*')
4. Naming function arguments
Naming arguments is optional. In the following example, the argument name patterns is used before the group of similarly named indexes 'data1*' and 'data2*' . When you specify multiple patterns, you must enclose the list of patterns in square brackets and separate the the items with commas.
| FROM indexes(patterns: ['data1*', 'data2*'])
5. Merge datasets using the union command
Use the union command to merge the results from multiple datasets. By default the union command interleaves the results in descending time order.
| union indexes(webtraffic, 'webdata*')
This search merges the results from these indexes:
- The index
webtraffic - All indexes that start with
webdata
You can't use the indexes function with indexes that have a dataset kind of metrics. You must specify metrics indexes separately from event indexes. For example:
| union indexes(webtraffic, 'webdata*'), metrics: "webmetrics"
This search merges the results from these indexes:
- The index
webtraffic - All indexes that start with
webdata - The metrics index
webmetrics
6. Combine datasets using the join command
Use the join command to combine the results from multiple datasets.
This search joins the logons index with all of the indexes that start with logonData. This search uses an inner join. The indexes are joined on the id field.
| FROM logons | join type=inner max=0 left=L right=R where L.id=R.id indexes('logonData*')
See also
- Function information
- Overview of SPL2 dataset_functions
- Naming function arguments in the SPL2 Search Manual
|
PREVIOUS Overview of SPL2 dataset functions |
NEXT repeat dataset function |
This documentation applies to the following versions of Splunk® Cloud Services: current
Feedback submitted, thanks!