https://community.splunk.com/t5/Getting-Data-In/Displaying-which-indexes-sourcetypes-feed-datamodels/m-p/272102#M86019 <P>This answer is also helpful <A href="https://answers.splunk.com/answers/597619/list-all-datamodels-with-the-feeds-index-sourcetyp.html">https://answers.splunk.com/answers/597619/list-all-datamodels-with-the-feeds-index-sourcetyp.html</A></P> Wed, 25 Mar 2020 10:34:49 GMT chris 2020-03-25T10:34:49Z https://community.splunk.com/t5/Getting-Data-In/Displaying-which-indexes-sourcetypes-feed-datamodels/m-p/272100#M86017 <P>Hi,</P> <P>is there an easy way to display which indexes (and/or) sourcetypes feed the data models that are configured? Or how do you onboard new data and make sure that you notice if the format of that data changes over time and no longer matches the criteria to be part of a data model?</P> <P>Regards <BR />Chris</P> Wed, 17 Jun 2020 17:48:47 GMT https://community.splunk.com/t5/Getting-Data-In/Displaying-which-indexes-sourcetypes-feed-datamodels/m-p/272100#M86017 chris 2020-06-17T17:48:47Z https://community.splunk.com/t5/Getting-Data-In/Displaying-which-indexes-sourcetypes-feed-datamodels/m-p/272101#M86018 <P>Hi Chris, A search such as this will give you an index/sourcetype breakdown of the events in a datamodel (Authentication for example)</P> <PRE><CODE>| datamodel Authentication Authentication search | search * | stats count by sourcetype,index </CODE></PRE> <P>If you have particular sourcetypes you care about, you could setup an alert on such a search for those sourcetypes missing.</P> <P>Please let me know if this answers your question!</P> Fri, 01 Apr 2016 15:07:55 GMT https://community.splunk.com/t5/Getting-Data-In/Displaying-which-indexes-sourcetypes-feed-datamodels/m-p/272101#M86018 muebel 2016-04-01T15:07:55Z https://community.splunk.com/t5/Getting-Data-In/Displaying-which-indexes-sourcetypes-feed-datamodels/m-p/272102#M86019 <P>This answer is also helpful <A href="https://answers.splunk.com/answers/597619/list-all-datamodels-with-the-feeds-index-sourcetyp.html">https://answers.splunk.com/answers/597619/list-all-datamodels-with-the-feeds-index-sourcetyp.html</A></P> Wed, 25 Mar 2020 10:34:49 GMT https://community.splunk.com/t5/Getting-Data-In/Displaying-which-indexes-sourcetypes-feed-datamodels/m-p/272102#M86019 chris 2020-03-25T10:34:49Z https://community.splunk.com/t5/Getting-Data-In/Displaying-which-indexes-sourcetypes-feed-datamodels/m-p/272103#M86020 <P>That ist he search @jaime.ramirez proposes in his answer:<BR /> | datamodel <BR /> | rex field=_raw "\"modelName\"\s*:\s*\"(?[^\"]+)\"" <BR /> | fields modelName <BR /> | table modelName <BR /> | map maxsearches=40 search="tstats <CODE>summariesonly</CODE> count from datamodel=$modelName$ by sourcetype,index | eval modelName=\"$modelName$\""</P> Wed, 30 Sep 2020 04:42:07 GMT https://community.splunk.com/t5/Getting-Data-In/Displaying-which-indexes-sourcetypes-feed-datamodels/m-p/272103#M86020 chris 2020-09-30T04:42:07Z