Solved: Re: identifying sourcetypes by index

cphair · ‎01-14-2014

Hello,

I'd like to display all sourcetypes available for each index in my environment. Unfortunately, metadata type=sourcetypes doesn't preserve the index name, and I want to be able to run it on the entire set of indexes on whatever instance the search runs on (i.e. I don't want to hardcode index=a OR index=b, etc, into the search). I tried getting fancy:



| rest /services/data/indexes | rex field=id mode=sed "s/.\/(\w+)$/\1/" | search id!="_" | fields id | map search="|metadata type=sourcetypes index=$id$ | stats list(sourcetype) as sourcetype | eval whereFrom=$id$ | table sourcetype whereFrom"

...but the second $id$ is always null. Can anyone give me a good way to list all indexes and the sourcetypes they contain? As a bonus, if you can explain why my map command doesn't work as expected, I'd appreciate it.

somesoni2 · ‎01-14-2014

Try this

|metasearch index=* sourcetype=* | stats count by index, sourcetype | fields - count

View solution in original post

MuS · ‎07-01-2018

Hi there,

another one would be tstats which is lighting fast, because it does not look at any _raw data :

| tstats count WHERE index=* by sourcetype, index

cheers, MuS

sojnv · ‎07-01-2018

Thanks MuS

wrangler2x · ‎07-02-2018

I use that as well, but I like the way this looks better:

| tstats values(sourcetype) AS Sourcetype where index=* by index

And yes, as MuS said, this is lightening fast. Run that and then compare against |metasearch index=* sourcetype=* | stats count by index, sourcetype | fields - count which is way slow by comparison.

sojnv · ‎07-04-2018

so true, thanks

wrangler2x · ‎05-03-2018

This REST search works great, and it is fast, too. I lists all sourcetypes by index and the associated event count:

|rest /services/data/indexes count=0
| dedup title
| fields title
| map  [|metadata type=sourcetypes index="$title$"
        | eval type="$title$"] maxsearches=1000
| stats values(totalCount) AS EventCount values(sourcetype) AS Sourcetype by type
| rename type as index
| fields index Sourcetype EventCount

sojnv · ‎07-01-2018

Thanks alot, This is more accurate and truly fast

somesoni2 · ‎01-14-2014

Try this

|metasearch index=* sourcetype=* | stats count by index, sourcetype | fields - count

cphair · ‎01-14-2014

Perfect. Thank you.

sdewar83 · ‎09-10-2019

do you have to do this search against "All Time" ? i tried running it and got completely different results when searching ALL Time vs 15 minutes.

koshyk · ‎05-27-2015

you will get all sourcetypes faster if you do
| metadata type=sourcetypes index=*

theouhuios · ‎01-14-2014

earliest=-5m@m latest=@m index=*|dedup sourcetype|table index sourcetype

I always use this to list all sourcetypes and there respective indexes.

cphair · ‎01-14-2014

Understood, but my indexes are huge. I would prefer not to search the data itself if I can avoid it--this is the kind of problem that metadata should solve.

theouhuios · ‎01-14-2014

You can increase the timerange to one hour and try it. It will just take extra time to give you the result. Will depend on your splunk environment on how much time it will take for search to complete

cphair · ‎01-14-2014

That only works if all the sourcetypes have appeared in the past five minutes, though.

identifying sourcetypes by index

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation