Getting Data In

log sources

pradeep577
Path Finder

Hi,

I have been ask to generate report for top log sources which is generating lot of traffic. I need help to generate report as

< sourcetype>  

Can someone from group help me in this. Currently Im using

| metadata type=sources | where
totalCount>0 | table source totalCount

where i get source & total count but Iam looking for < sourcetype> format.

Thanks in advance.

Tags (1)
0 Karma

pradeep577
Path Finder

Hi,

Thnk you for quick reply.
I executed this query

| metadata type=sourcetypes index="wineventlog"
| search totalCount>0
| table source totalCount

Output is:

Source: blank(empty)
Total count : numbers

0 Karma

pradeep577
Path Finder

Still same please see attached screenshotalt text

It doesnt give me which logs are contributing to high license usage?

0 Karma

FrankVl
Ultra Champion

| metadata type=sourcetypes doesn’t return a source field, only sourcetype and count and some time stamps (run it without the table command to see the full output).

If you want to count just by sourcetype, just change your table command to show the sourcetype field instead of the source field.

If you want to count by sourcetype and source, metadata command is not your friend. Try this in stead:

| tstats count where index = yourindex by source,sourcetype
0 Karma

FrankVl
Ultra Champion

If you get the data by sourcetype, you of course also need to table the sourcetype field, not the source field 🙂

0 Karma

niketn
Legend

Try the following:

| metadata type=sourcetypes index="<yourIndexName>"
| search totalCount>0
| table sourcetype totalCount
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

FrankVl
Ultra Champion

Think you’ve caused a bit of confusion by tabling the nonexistent source field 😉

niketn
Legend

@FrankVI, thanks for catching that. I have made the correction!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma