Solved: Re: Displaying which indexes/sourcetypes feed data...

chris · ‎04-01-2016

Hi,

is there an easy way to display which indexes (and/or) sourcetypes feed the data models that are configured? Or how do you onboard new data and make sure that you notice if the format of that data changes over time and no longer matches the criteria to be part of a data model?

Regards
Chris

muebel · ‎04-01-2016

Hi Chris, A search such as this will give you an index/sourcetype breakdown of the events in a datamodel (Authentication for example)

| datamodel Authentication Authentication search | search * | stats count by sourcetype,index

If you have particular sourcetypes you care about, you could setup an alert on such a search for those sourcetypes missing.

Please let me know if this answers your question!

View solution in original post

muebel · ‎04-01-2016

Hi Chris, A search such as this will give you an index/sourcetype breakdown of the events in a datamodel (Authentication for example)

| datamodel Authentication Authentication search | search * | stats count by sourcetype,index

If you have particular sourcetypes you care about, you could setup an alert on such a search for those sourcetypes missing.

Please let me know if this answers your question!

chris · ‎03-25-2020

chris · ‎03-25-2020

This answer is also helpful https://answers.splunk.com/answers/597619/list-all-datamodels-with-the-feeds-index-sourcetyp.html

Displaying which indexes/sourcetypes feed datamodels

index

sourcetype

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?