Archive

list all datamodels with the feeds (index, sourcetype)

Explorer

Is there an easy way of showing list of all used datamodels and with which are coming in (index, sourcetype)?
So far I can do a search on each datamodel and get the indexes, but this means I have to do this separately on every datamodel.

Tags (1)

Communicator

I found this way to be somewhat effective

| datamodel 
| rex field=_raw "\"modelName\"\s*\:\s*\"(?<modelName>[^\"]+)\"" 
| fields modelName 
| table modelName 
| map maxsearches=40 search="tstats `summariesonly` count from datamodel=$modelName$ by sourcetype,index | eval modelName=\"$modelName$\""
Tags (1)

Engager

Outstanding, Jaime. Thanks for sharing. Without any modification to your search, I was able to copy/paste and find the answer.

0 Karma

Motivator

Worked for me thanks.

0 Karma

Explorer

here is a way on how to do it, but you need to add all the datamodels manually:

| tstats `summariesonly` count from datamodel=datamodel1 by sourcetype,index 
| eval DM="Datamodel1" 
| append 
    [| tstats `summariesonly` count from datamodel=datamodel2 by sourcetype,index 
    | eval DM="datamodel2"] 
| append 
    [| tstats `summariesonly` count from datamodel=datamodel3 by sourcetype,index 
    | eval DM="datamodel3"] 
0 Karma