Knowledge Management

Seeing sourcetypes in Endpoint data model

New Member

When searching to see which sourcetypes are in the Endpoint data model, I am getting different results if I search:

| tstats `summariesonly` c as count from datamodel="Endpoint" by index, sourcetype

than when I search:

| tstats `summariesonly` c as count from datamodel="Endpoint.Processes" by index, sourcetype

Why wouldn't the sourcetypes under the Processes data set be included in the first search for sourcetypes in the Endpoint data model?


Labels (1)
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>