I like this search. If you have the OS app loaded on your instance (*nix) it has a bunch of its own sourcetypes that are not interesting, so that's why I exclude its index (os). If you don't, you can remove that last line of the search:
|rest /services/data/indexes count=0
| dedup title | fields title | map [|metadata type=sourcetypes index="$title$" | eval type="$title$"] maxsearches=1000
| stats values(type) AS index, values(totalCount) by sourcetype | sort sourcetype
| search NOT index=os
The output is a column of sourcetypes, with a second column of the index(es) that sourcetype is found in.
Why don't you use license_usage.log file to get all the sources and sourcetypes??
You will get all the data with s as source st as sourcetype, using this we can get the required information.
I am not an expert but I got indexes, sources and sourtypes as well as a custom "Customer" field with the following query:
source=* sourcetype=* [| eventcount summarize=false index=* | table index | format "(" "" "" "" "OR" ")"] | fillnull value="N/A" Customer | stats count by index, source, sourcetype, Customer | sort index, source, sourcetype, Customer
I believe the metadata way display's all indexed source[type]'s ever. This may not be the lightest query, but gives me recent things:
" *** | chart count by sourcetype | sort count desc** " in the past hour
the reason this is inefficient is that you are asking the system to do a full scan of the index and aggregate the count. Your poor indexers have to process every single event . |metadata is what you want.