Hi,
I have been ask to generate report for top log sources which is generating lot of traffic. I need help to generate report as
< sourcetype>
Can someone from group help me in this. Currently Im using
| metadata type=sources | where
totalCount>0 | table source totalCount
where i get source & total count but Iam looking for < sourcetype> format.
Thanks in advance.
Hi,
Thnk you for quick reply.
I executed this query
| metadata type=sourcetypes index="wineventlog"
| search totalCount>0
| table source totalCount
Output is:
Source: blank(empty)
Total count : numbers
| metadata type=sourcetypes
doesn’t return a source field, only sourcetype and count and some time stamps (run it without the table command to see the full output).
If you want to count just by sourcetype, just change your table command to show the sourcetype field instead of the source field.
If you want to count by sourcetype and source, metadata command is not your friend. Try this in stead:
| tstats count where index = yourindex by source,sourcetype
If you get the data by sourcetype, you of course also need to table the sourcetype field, not the source field 🙂
Try the following:
| metadata type=sourcetypes index="<yourIndexName>"
| search totalCount>0
| table sourcetype totalCount
Think you’ve caused a bit of confusion by tabling the nonexistent source field 😉
@FrankVI, thanks for catching that. I have made the correction!