All Apps and Add-ons

Why is there no sourcetype found when creating new table dataset in the Splunk Datasets Add-on?

_smp_
Builder

When I attempt to create a new table dataset with the 'admin' role in ES 7.0.2, I am first presented with a list of indexes to select from. After I select one, I am taken to a screen to select the sourcetype. But none are found, even when I select 'All indexes'. Since I can't find the underlying search either. Anyone else having this problem?

0 Karma

jacobstark_splu
Splunk Employee
Splunk Employee

Scott, we are looking for current users of the Dataset Add-on, to ask them about usability enhancements. Would you be available? Please let me know at jacobstark@splunk.com

0 Karma

cburke_splunk
Splunk Employee
Splunk Employee

Hi scottprigge,

I cannot speak for the sourcetypes that ES creates, but I can help you try to understand why you may not see any sourcetypes, and give you a way to validate that you should see sourcetypes.

When you have selected some indexes, the Table UI runs an all-time metadata search to find sourcetypes. A runnable (but a little truncated) example of a search it would run is: | metadata index="_internal" type=sourcetypes | search totalCount > 0

The search for totalCount > 0 is very important here, it the totalCount of events. We're trying to show you sourcetypes that have data indexed in them. To make this search applicable for the indexes in your ES deployments, you need to edit the index argument.

What's also interesting is that the search we use to show you what indexes might have events is a little different: | eventcount summarize=f index=_* index=* | where count>0 | stats count by index

By running both of these searches you can see in the search page what might be the root cause if your problem.

Let me know if this helps you to debug the problem!

Cory

0 Karma

_smp_
Builder

Thanks for the reply, I think that is getting me closer. When I run the | metadata search over all time, I get this error:

Error in 'metadata': No 'sourcetype' key found in results. Cannot merge metadata.

This error has cropped up other places too. Suggest I open a support ticket?

0 Karma

cburke_splunk
Splunk Employee
Splunk Employee

You're welcome, scottprigge. I would suggest you open a support ticket because you're in an unusual scenario, you have the eventcount search returning a non-zero count, but then there are supposedly no sourcetypes with events in those indexes.

0 Karma

_smp_
Builder

I did open a support ticket and will post the resolution when I know. Thanks again for pointing me in the right direction.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...