Solved: Re: Displaying which indexes/sourcetypes feed data...

chris · ‎04-01-2016

Hi,

is there an easy way to display which indexes (and/or) sourcetypes feed the data models that are configured? Or how do you onboard new data and make sure that you notice if the format of that data changes over time and no longer matches the criteria to be part of a data model?

Regards
Chris

muebel · ‎04-01-2016

Hi Chris, A search such as this will give you an index/sourcetype breakdown of the events in a datamodel (Authentication for example)

| datamodel Authentication Authentication search | search * | stats count by sourcetype,index

If you have particular sourcetypes you care about, you could setup an alert on such a search for those sourcetypes missing.

Please let me know if this answers your question!

View solution in original post

muebel · ‎04-01-2016

Hi Chris, A search such as this will give you an index/sourcetype breakdown of the events in a datamodel (Authentication for example)

| datamodel Authentication Authentication search | search * | stats count by sourcetype,index

If you have particular sourcetypes you care about, you could setup an alert on such a search for those sourcetypes missing.

Please let me know if this answers your question!

chris · ‎03-25-2020

chris · ‎03-25-2020

This answer is also helpful https://answers.splunk.com/answers/597619/list-all-datamodels-with-the-feeds-index-sourcetyp.html

Displaying which indexes/sourcetypes feed datamodels

index

sourcetype

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector