This shows the serverclasses per app but i not sure if it can be used on any splunk instance other than the deployment server
| rest https://localhost:8089/services/deployment/server/applications | table title, serverclasses

well, i would like to be able to know in indexes, what are the sourcetypes and who put data in these sourcetypes(by servevclasses).

by doing that i can control my serverclasses are working and up to date with what i want

what configuration is responsible for writing in a particuliar sourcetype

Have you tried looking at metadata, you can use that to list sourcetypes etc?

i got that seach from splunk answer :

| eventcount summarize=false index=* index=_* | dedup index | fields index
| map maxsearches=100 search="|metadata type=sourcetypes index=\"$index$\" | eval index=\"$index$\""
| fields index sourcetype

wich list index | sourcetype

so now i need to know who puts data in a sourcetype..

Hi Ed,

From what I know the sourcetype is the path from which the data is taken, I mean if splunk is taking the data from xyz.logs then source type is the path of this log file.

So to answer the question of who puts the data in source type: it is the server or the application creating the logs puts the data in the source type.

I guess I am answering what you are asking, please let me know if I am going out of the track.

Vinod I believe what Ed is trying to achieve is to list it in his map, not to have an answer to the question.

ok but you missunderstand me, the application creates logs it is not responsible for putting it in splunk.

it is the sourcetype and the deployed splunk application wich retrieve the application's logs and put it in a particuliar sourcetype .