Source and sourcetype syntax
This table summarizes Splunk App for Stream source
and sourcetype
search syntax:
Stream 6.1.0 or later | Example | |
Syntax | source=stream:<stream-id> sourcetype=stream:<protocol> | |
Search for a specific <stream-id> | source=stream:<stream-id> | source=stream:http, source=stream:tcp |
Search for all <protocol> streams | sourcetype=stream:<protocol> | sourcetype=stream:http, sourcetype=stream:tcp |
Note: The name that Splunk App for Stream assigns to an individual <stream-id> is the same as the underlying protocol.
Supported protocols that map to Splunk CIM | Install Splunk App for Stream |
This documentation applies to the following versions of Splunk Stream™: 6.3.0, 6.3.1, 6.3.2, 6.4.0, 6.4.1, 6.4.2, 6.5.0, 6.5.1
Feedback submitted, thanks!