topic Re: Create a sourcetype to index map in Splunk Search

Create a sourcetype to index map

Log_wrangler — Fri, 29 Dec 2017 18:07:57 GMT

I am exploring an unfamiliar Splunk Enterprise deployment.

Normally I use:

 |tstats values(sourcetype) WHERE index=* by index

to get a quick reference map of sourcetype to index, but it only shows a few indexes.... (4 total)

When I run;

index=* |stats values(sourcetype) by index

I get more (24 total).

When I run:

|metadata type=sourcetypes index=*

I get sourcetypes but not index values in a column

Please advise what I might use to get a comprehensive list of indexes and sourcetypes.
Any explanation for the different results is much appreciated too.

Thank you

Re: Create a sourcetype to index map

micahkemp — Fri, 29 Dec 2017 18:13:38 GMT

It's possible you have sourcetypes being changed at search time, which would result in different sourcetypes being indexed than shown at search time. Look in your props.conf for any mention of the rename configuration:

rename = <string>
* Renames [<sourcetype>] as <string> at search time
* With renaming, you can search for the [<sourcetype>] with
  sourcetype=<string>
* To search for the original source type without renaming it, use the
  field _sourcetype.
* Data from a a renamed sourcetype will only use the search-time
  configuration for the target sourcetype. Field extractions
  (REPORTS/EXTRACT) for this stanza sourcetype will be ignored.
* Defaults to empty.

You may try bin/splunk btool props list --debug | grep rename to get a quick "do I see this anywhere" answer.

Re: Create a sourcetype to index map

Log_wrangler — Fri, 29 Dec 2017 18:43:06 GMT

Thank you for the reply. I will check the props.conf when I am granted access.

I can get by with

index=* |stats values(sourcetype) by index

but I forgot how to write the code to count the number sourcetypes per index, (not the events per sourcetype)... any advice is greatly appreciated. I have multiple sourcetypes per index and at least 24 so far.

Thank you

Re: Create a sourcetype to index map

Log_wrangler — Fri, 29 Dec 2017 18:57:31 GMT

I came up with this
index=* |stats values(sourcetype) dc(sourcetype) by index

Please let me know if there is a better way...

to clarify I want to see a count unique sourcetypes per index, for example main has sourcetype A B C D E, so the count would be 5.