Hi,
i would like to document and control my splunk deployment configuration,
do you have some idea on how to get a table on wich i would get
Index | sourcetype | serverclass
Regards,
with the following search you can get information about you inputs: index | sourcetype | app (where the input config is)
| rest https://localhost:8089/services/data/inputs/all | table index, sourcetype, eai:acl.app
This should give you a rough idea about the origin.
I haven't been able to test it further but with the following you might be able to get the app/ serverclass relation:
| rest https://localhost:8089/services/deployment/client/config
check the fields eai:acl.app and title for the relation
This shows the serverclasses per app but i not sure if it can be used on any splunk instance other than the deployment server
| rest https://localhost:8089/services/deployment/server/applications | table title, serverclasses
Can you explain in a bit more detail? I'm struggling to understand what you want to table.
well, i would like to be able to know in indexes, what are the sourcetypes and who put data in these sourcetypes(by servevclasses).
by doing that i can control my serverclasses are working and up to date with what i want
what configuration is responsible for writing in a particuliar sourcetype
Have you tried looking at metadata, you can use that to list sourcetypes etc?
i got that seach from splunk answer :
| eventcount summarize=false index=* index=_* | dedup index | fields index
| map maxsearches=100 search="|metadata type=sourcetypes index=\"$index$\" | eval index=\"$index$\""
| fields index sourcetype
wich list index | sourcetype
so now i need to know who puts data in a sourcetype..
Hi Ed,
From what I know the sourcetype is the path from which the data is taken, I mean if splunk is taking the data from xyz.logs then source type is the path of this log file.
So to answer the question of who puts the data in source type: it is the server or the application creating the logs puts the data in the source type.
I guess I am answering what you are asking, please let me know if I am going out of the track.
Vinod I believe what Ed is trying to achieve is to list it in his map, not to have an answer to the question.
ok but you missunderstand me, the application creates logs it is not responsible for putting it in splunk.
it is the sourcetype and the deployed splunk application wich retrieve the application's logs and put it in a particuliar sourcetype .