Re: How to see all source and sourcetype list

rameshlpatel · ‎01-29-2014

Hi,

In splunk UI, I am seeing only top 10 source and sourcetype list.

But I want to see all of them. Please suggest me on this.

xlash911 · ‎07-18-2020

All answers querying for all sources from metadata had the same typo.

Use :

|metadata type=sources index=*

sahilverma · ‎01-13-2020

I am looking for sourcetype for parsing .csv files.

Source is Azure mscs:storage:blob

vijayad · ‎08-02-2019

Try to run below btool command and search for your sourcetype

opt/splunk/bin > ./splunk btool inputs list --debug > output.txt

ujeshmaurya · ‎07-02-2019

|metadata type=sourcetypes index="index_name"

|metadata type=source index="index_name"

This will work for sure. 🙂

ujeshmaurya · ‎07-02-2019

|metadata type=sourcetypes index="index_name"

|metadata type=source index="index_name"

This works nicely

wrangler2x · ‎03-05-2019

I like this search. If you have the OS app loaded on your instance (*nix) it has a bunch of its own sourcetypes that are not interesting, so that's why I exclude its index (os). If you don't, you can remove that last line of the search:

The output is a column of sourcetypes, with a second column of the index(es) that sourcetype is found in.

bharathkumarnec · ‎12-27-2017

Why don't you use license_usage.log file to get all the sources and sourcetypes??

index=_internal source=*license_usage.log

You will get all the data with s as source st as sourcetype, using this we can get the required information.

saadhasankhan · ‎06-27-2016

I am not an expert but I got indexes, sources and sourtypes as well as a custom "Customer" field with the following query:

source=* sourcetype=* [| eventcount summarize=false index=* | table index | format "(" "" "" "" "OR" ")"] |
 fillnull value="N/A" Customer 
| stats count by index, source, sourcetype, Customer 
| sort index, source, sourcetype, Customer

axelabs · ‎09-09-2015

I believe the metadata way display's all indexed source[type]'s ever. This may not be the lightest query, but gives me recent things:
" *** | chart count by sourcetype | sort count desc** " in the past hour

somesoni2 · ‎01-29-2014

Use following (faster) for source

| metadata type=hosts index=* OR index=_*

for sourcetypes

| metadata type=sourcetypes index=* OR index=_*

davidcottrell · ‎04-06-2017

This does not work. You need to you source,field entries.

adonio · ‎04-06-2017

try this
| tstats values(source) where index = * by index

joechakkola1 · ‎11-13-2018

thank you , this query was very helpful.

rameshlpatel · ‎01-29-2014

For this I have to run one extra queries for finding list of all source.

there is no any way to get list from existing fired query?

tararso · ‎01-29-2014

to view all sources : index=* |chart count by source
to view all sourcetypes: index=* |chart count by sourcetype

mkinsley_splunk · ‎01-29-2014

the reason this is inefficient is that you are asking the system to do a full scan of the index and aggregate the count. Your poor indexers have to process every single event . |metadata is what you want.

CraigAtNuna · ‎12-27-2017

Don't you need "index=*" and not "index="?

How to see all source and sourcetype list

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life