topic Re: List field values as input without rendering the events in Splunk Search

List field values as input without rendering the events

Starlette — Sat, 12 Nov 2011 16:41:19 GMT

Is there a smart way to list field values as input without rendering the events?
Example :

I want to list the hosts for a sourcetype=named
so instead of doing a

sourcetype=named | fields host ( and have to use a earliest time)
cause this takes time to render the pulldown module....maybee |metadata ?

Re: List field values as input without rendering the events

_d_ — Sat, 12 Nov 2011 17:31:11 GMT

Not sure I fully understand your question but perhaps this can give you what you need:

sourcetype=named | stats count by host

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

Re: List field values as input without rendering the events

Starlette — Sat, 12 Nov 2011 18:50:46 GMT

Well this IS rendering events,,,,fyi if you have 300.000 events per minute then this is slow for shooting it in the pulldown module...
I am testing now with | metadata type=hosts and subsearch for the sourcetype...( and index)
But no luck,,,i think i have to schedule it with summary indexing,,,

Re: List field values as input without rendering the events

_d_ — Sat, 12 Nov 2011 19:39:30 GMT

Yep, if you have that many events per minute and you want to know sourcetypes by hosts over a long period summary indexing is probably your best bet. I found this answer that sheds some more light on the same topic: http://splunk-base.splunk.com/answers/10005/how-to-get-host-sourcetype-and-source-from-a-single-metadata-search

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!