How to create a report about each index and the so...

giy4 · ‎11-10-2015

I need to create a report that shows each index on my system and the relevant data about sourcetypes within the index. I know I can use |metadata type=sourcetypes index=myindex and get the information for a specific index, but I want to basically pull all of my indexes and run that command for each of the indexes I have.

alacercogitatus · ‎11-10-2015

Ok, so here you go. This uses the rest command, and the metadata command. It will increase in execution time as the number of indexes increases.

|rest /services/data/indexes count=0 | dedup title | fields title | map  [|metadata type=sourcetypes index="$title$" | eval type="$title$"] maxsearches=1000 | stats values(totalCount) by sourcetype type | rename type as index

How to create a report about each index and the sourcetypes it contains?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to create a report about each index and the sourcetypes it contains?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem