Knowledge Management

list all datamodels with the feeds (index, sourcetype)

ecanmaster
Explorer

Is there an easy way of showing list of all used datamodels and with which are coming in (index, sourcetype)?
So far I can do a search on each datamodel and get the indexes, but this means I have to do this separately on every datamodel.

Tags (1)

edoardo_vicendo
Builder

Starting from @jaime_ramirez  solution I have added a portion of SPL to check whether or not your sourcetypes are going into which datamodels:

| datamodel
| rex field=_raw "\"modelName\"\s*\:\s*\"(?<modelName>[^\"]+)\""
| search NOT modelName IN (Splunk_CIM_Validation)
| fields modelName
| table modelName
| map maxsearches=40 search="tstats summariesonly=true count from datamodel=$modelName$ by sourcetype | eval modelName=\"$modelName$\""
| append [| search index=_internal source=*license_usage.log type="Usage" pool="herePutYourLicensePool"
  | eval sourcetype = st
  | stats count by sourcetype
  | eval modelName="removeit", count=0
  | fields sourcetype modelName count]
| xyseries sourcetype modelName count | fillnull value="N"
| fields - removeit

 

jaime_ramirez
Communicator

I found this way to be somewhat effective

| datamodel 
| rex field=_raw "\"modelName\"\s*\:\s*\"(?<modelName>[^\"]+)\"" 
| fields modelName 
| table modelName 
| map maxsearches=40 search="tstats `summariesonly` count from datamodel=$modelName$ by sourcetype,index | eval modelName=\"$modelName$\""
Tags (1)

TheDairyGuy
Explorer

Excellent!  I love it when someone provides working SPL that I can just copy and paste - and BOOM it gives me what I need.  Thank you!

Tags (2)
0 Karma

makeresults
Engager

Outstanding, Jaime. Thanks for sharing. Without any modification to your search, I was able to copy/paste and find the answer.

0 Karma

chris
Motivator

Worked for me thanks.

0 Karma

ecanmaster
Explorer

here is a way on how to do it, but you need to add all the datamodels manually:

| tstats `summariesonly` count from datamodel=datamodel1 by sourcetype,index 
| eval DM="Datamodel1" 
| append 
    [| tstats `summariesonly` count from datamodel=datamodel2 by sourcetype,index 
    | eval DM="datamodel2"] 
| append 
    [| tstats `summariesonly` count from datamodel=datamodel3 by sourcetype,index 
    | eval DM="datamodel3"] 
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...