Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get index in the results with respective sourcetype?

PavanSeerapu
Explorer
‎06-14-2022 08:50 AM

 

index=_internal source=*metrics.log

| eval MB=round(kb/1024,2)

| search group="per_sourcetype_thruput"

| stats sum(MB) by series | eval sourcetype=lower(series)

| table index sourcetype "sum(MB)"

| append [| tstats latest(_time) as latest where index=* earliest=-24h by sourcetype |eval LastReceivedEventTime = strftime(latest,"%c") |table index, sourcetype LastReceivedEventTime | eval sourcetype=lower(sourcetype)]

| stats values(*) as * by sourcetype

| where LastReceivedEventTime != ""

 

 

Above query giving me sourtype, latest time stamp and sum(MB), but unable to get index, can someone please help

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-14-2022 11:42 PM

Hi @PavanSeerapu,

after a stats command, you have only the fields used in the stats, so you have to add the index to all your stats commands,

something like this:

index=_internal source=*metrics.log group="per_sourcetype_thruput"
| eval MB=round(kb/1024,2)
| stats sum(MB) values(index) AS index by series 
| eval sourcetype=lower(series)
| append [ 
   | tstats latest(_time) as latest where index=* earliest=-24h by sourcetype
   | eval LastReceivedEventTime = strftime(latest,"%c") 
   | table index sourcetype LastReceivedEventTime 
   | eval sourcetype=lower(sourcetype)
   ]
| stats values(*) as * by sourcetype
| where LastReceivedEventTime != ""

Ciao.

Giuseppe

0 Karma
Reply

Amick
Loves-to-Learn Lots
‎06-14-2022 11:44 AM

Add index to your subsearch "by" clause

index=_internal source=*metrics.log group="per_sourcetype_thruput"
| eval MB=round(kb/1024,2)
| stats sum(MB) by series | eval sourcetype=lower(series)
| table index sourcetype "sum(MB)"
| append [| tstats latest(_time) as latest where index=* earliest=-24h by index, sourcetype |eval LastReceivedEventTime = strftime(latest,"%c") |table index, sourcetype LastReceivedEventTime | eval sourcetype=lower(sourcetype)]
| stats values(*) as * by sourcetype
| where LastReceivedEventTime != ""
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...