Getting Data In

how to get the list of sources and sourcetypes grouped by index for a specific app?

Builder

I am using the below query to get the list of all sourcetypes for a specific app

| rest /services/saved/sourcetypes | fields title, "eai:acl.app" | rename title AS sourcetype, "eai:acl.app" AS app_name | search app_name=vams | search sourcetype!=rest AND sourcetype!=a_test AND sourcetype!=my_test_data | dedup sourcetype

This gives me list of all sources

| metadata type=sources index=* |dedup source

but how can group it by indexes to get source and sourcetype for each index

0 Karma

Revered Legend

Try this

| tstats count WHERE [| rest /services/saved/sourcetypes | fields title, "eai:acl.app" | rename title AS sourcetype, "eai:acl.app" AS app_name | search app_name=vams | search sourcetype!=rest AND sourcetype!=a_test AND sourcetype!=my_test_data | dedup sourcetype | table sourcetype] by index sourcetype source
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!