Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

log sources

pradeep577
Path Finder
‎06-01-2018 06:24 AM

Hi,

I have been ask to generate report for top log sources which is generating lot of traffic. I need help to generate report as 

< sourcetype>

Can someone from group help me in this. Currently Im using

| metadata type=sources | where
totalCount>0 | table source totalCount

where i get source & total count but Iam looking for < sourcetype> format.

Thanks in advance.

Tags (1)
0 Karma
Reply

pradeep577
Path Finder
‎06-01-2018 06:48 AM

Hi,

Thnk you for quick reply.
I executed this query

| metadata type=sourcetypes index="wineventlog"
| search totalCount>0
| table source totalCount

Output is:

Source: blank(empty)
Total count : numbers

0 Karma
Reply

pradeep577
Path Finder
‎06-01-2018 06:56 AM

Still same please see attached screenshotalt text

It doesnt give me which logs are contributing to high license usage?

Preview file
12 KB
0 Karma
Reply

FrankVl
Ultra Champion
‎06-01-2018 05:53 PM

| metadata type=sourcetypes doesn’t return a source field, only sourcetype and count and some time stamps (run it without the table command to see the full output).

If you want to count just by sourcetype, just change your table command to show the sourcetype field instead of the source field.

If you want to count by sourcetype and source, metadata command is not your friend. Try this in stead:

| tstats count where index = yourindex by source,sourcetype
0 Karma
Reply

FrankVl
Ultra Champion
‎06-01-2018 06:50 AM

If you get the data by sourcetype, you of course also need to table the sourcetype field, not the source field 🙂

0 Karma
Reply

niketn
Legend
‎06-01-2018 06:29 AM

Try the following:

| metadata type=sourcetypes index="<yourIndexName>"
| search totalCount>0
| table sourcetype totalCount
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

FrankVl
Ultra Champion
‎06-01-2018 05:55 PM

Think you’ve caused a bit of confusion by tabling the nonexistent source field 😉

Reply

niketn
Legend
‎06-01-2018 09:50 PM

@FrankVI, thanks for catching that. I have made the correction!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...