How to search logs in multiple index, within discover it does not gives option to select multiple indexes in drop down option.
Hi @Phoenix1. Have you checked out the documentation on Kibana data views? I suggest creating a data view with a wildcard index patten:
- To match multiple sources, use a wildcard (*).
filebeat-*matchesfilebeat-apache-a,filebeat-apache-b, and so on.
After creating your data view, it will appear in the different data view selectors across the app including in Discover and the Security Solution:
Please let us know if this solves your issue.
Best,
Steph
1 Like
Hi Steph,
Thanks for your reposne, it seems you are suggesting how to access different logsource types. instead, just see your screen shot where we have to select one or the other index (under drop down)in discover. Let say we have Index1, Index2, Index3 indexes. My question is how to search event/logs in all three in one go ?
I searched and possible answer could be Index pattern, let me know what you think i still needs to check on this if it is the solution.
Just wanted to add that data views are the new name for what index patterns did previously. @Phoenix1 Think the suggested provided by @stephmilovic should work just fine if I'm understanding you right.
ok, Thanks @stephmilovic and @Wave. Will get this check and inform your guys.
Thanks for quick support.
Let say we have Index1, Index2, Index3 indexes. My question is how to search event/logs in all three in one go ?
First let's clean up the example, index names must be lower case. So adjusting the example to be index1, index2, index3
You can create a data view with a wildcard. index* will retrieve the 3 indices you list above. You could also create a data view and explicitly name each index in a comma separated list in the index pattern like index1,index2,index3. We generally recommend using a wildcard index pattern so that all future indices matching this naming pattern will be picked up by the data view. Here is what that looks like in the Create data view UI:
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.