When I attempt to create a new table dataset with the 'admin' role in ES 7.0.2, I am first presented with a list of indexes to select from. After I select one, I am taken to a screen to select the sourcetype. But none are found, even when I select 'All indexes'. Since I can't find the underlying search either. Anyone else having this problem?
Scott, we are looking for current users of the Dataset Add-on, to ask them about usability enhancements. Would you be available? Please let me know at jacobstark@splunk.com
Hi scottprigge,
I cannot speak for the sourcetypes that ES creates, but I can help you try to understand why you may not see any sourcetypes, and give you a way to validate that you should see sourcetypes.
When you have selected some indexes, the Table UI runs an all-time metadata search to find sourcetypes. A runnable (but a little truncated) example of a search it would run is: | metadata index="_internal" type=sourcetypes | search totalCount > 0
The search for totalCount > 0 is very important here, it the totalCount of events. We're trying to show you sourcetypes that have data indexed in them. To make this search applicable for the indexes in your ES deployments, you need to edit the index argument.
What's also interesting is that the search we use to show you what indexes might have events is a little different: | eventcount summarize=f index=_* index=* | where count>0 | stats count by index
By running both of these searches you can see in the search page what might be the root cause if your problem.
Let me know if this helps you to debug the problem!
Cory
Thanks for the reply, I think that is getting me closer. When I run the | metadata
search over all time, I get this error:
Error in 'metadata': No 'sourcetype' key found in results. Cannot merge metadata.
This error has cropped up other places too. Suggest I open a support ticket?
You're welcome, scottprigge. I would suggest you open a support ticket because you're in an unusual scenario, you have the eventcount search returning a non-zero count, but then there are supposedly no sourcetypes with events in those indexes.
I did open a support ticket and will post the resolution when I know. Thanks again for pointing me in the right direction.