All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is there no sourcetype found when creating new table dataset in the Splunk Datasets Add-on?

_smp_
Builder
‎03-30-2018 12:29 PM

When I attempt to create a new table dataset with the 'admin' role in ES 7.0.2, I am first presented with a list of indexes to select from. After I select one, I am taken to a screen to select the sourcetype. But none are found, even when I select 'All indexes'. Since I can't find the underlying search either. Anyone else having this problem?

0 Karma
Reply

jacobstark_splu
Splunk Employee
Splunk Employee
‎01-13-2020 11:23 AM

Scott, we are looking for current users of the Dataset Add-on, to ask them about usability enhancements. Would you be available? Please let me know at jacobstark@splunk.com

0 Karma
Reply

cburke_splunk
Splunk Employee
Splunk Employee
‎04-03-2018 10:43 AM

Hi scottprigge,

I cannot speak for the sourcetypes that ES creates, but I can help you try to understand why you may not see any sourcetypes, and give you a way to validate that you should see sourcetypes.

When you have selected some indexes, the Table UI runs an all-time metadata search to find sourcetypes. A runnable (but a little truncated) example of a search it would run is: | metadata index="_internal" type=sourcetypes | search totalCount > 0

The search for totalCount > 0 is very important here, it the totalCount of events. We're trying to show you sourcetypes that have data indexed in them. To make this search applicable for the indexes in your ES deployments, you need to edit the index argument.

What's also interesting is that the search we use to show you what indexes might have events is a little different: | eventcount summarize=f index=_* index=* | where count>0 | stats count by index

By running both of these searches you can see in the search page what might be the root cause if your problem.

Let me know if this helps you to debug the problem!

Cory

0 Karma
Reply

_smp_
Builder
‎04-03-2018 10:50 AM

Thanks for the reply, I think that is getting me closer. When I run the | metadata search over all time, I get this error:

Error in 'metadata': No 'sourcetype' key found in results. Cannot merge metadata.

This error has cropped up other places too. Suggest I open a support ticket?

0 Karma
Reply

cburke_splunk
Splunk Employee
Splunk Employee
‎04-03-2018 01:41 PM

You're welcome, scottprigge. I would suggest you open a support ticket because you're in an unusual scenario, you have the eventcount search returning a non-zero count, but then there are supposedly no sourcetypes with events in those indexes.

0 Karma
Reply

_smp_
Builder
‎04-03-2018 01:46 PM

I did open a support ticket and will post the resolution when I know. Thanks again for pointing me in the right direction.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...