We've got over 50 sourcetypes, however, when I run the command below, I only see syslog under the sourcetype column.
| metadata type=sourcetypes | sort - totalCount
Does anyone have an explanation?
It's only looking at your default index(es). Try | metadata type=sourcetypes idnex=* | sort - totalCount
.
It's only looking at your default index(es). Try | metadata type=sourcetypes idnex=* | sort - totalCount
.
Thanks @richgalloway, this did the trick!