Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get index in the results with respective sourcetype?

PavanSeerapu
Explorer
‎06-14-2022 08:50 AM

 

index=_internal source=*metrics.log

| eval MB=round(kb/1024,2)

| search group="per_sourcetype_thruput"

| stats sum(MB) by series | eval sourcetype=lower(series)

| table index sourcetype "sum(MB)"

| append [| tstats latest(_time) as latest where index=* earliest=-24h by sourcetype |eval LastReceivedEventTime = strftime(latest,"%c") |table index, sourcetype LastReceivedEventTime | eval sourcetype=lower(sourcetype)]

| stats values(*) as * by sourcetype

| where LastReceivedEventTime != ""

 

 

Above query giving me sourtype, latest time stamp and sum(MB), but unable to get index, can someone please help

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-14-2022 11:42 PM

Hi @PavanSeerapu,

after a stats command, you have only the fields used in the stats, so you have to add the index to all your stats commands,

something like this:

index=_internal source=*metrics.log group="per_sourcetype_thruput"
| eval MB=round(kb/1024,2)
| stats sum(MB) values(index) AS index by series 
| eval sourcetype=lower(series)
| append [ 
   | tstats latest(_time) as latest where index=* earliest=-24h by sourcetype
   | eval LastReceivedEventTime = strftime(latest,"%c") 
   | table index sourcetype LastReceivedEventTime 
   | eval sourcetype=lower(sourcetype)
   ]
| stats values(*) as * by sourcetype
| where LastReceivedEventTime != ""

Ciao.

Giuseppe

0 Karma
Reply

Amick
Loves-to-Learn Lots
‎06-14-2022 11:44 AM

Add index to your subsearch "by" clause

index=_internal source=*metrics.log group="per_sourcetype_thruput"
| eval MB=round(kb/1024,2)
| stats sum(MB) by series | eval sourcetype=lower(series)
| table index sourcetype "sum(MB)"
| append [| tstats latest(_time) as latest where index=* earliest=-24h by index, sourcetype |eval LastReceivedEventTime = strftime(latest,"%c") |table index, sourcetype LastReceivedEventTime | eval sourcetype=lower(sourcetype)]
| stats values(*) as * by sourcetype
| where LastReceivedEventTime != ""
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...