Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

list all datamodels with the feeds (index, sourcetype)

ecanmaster
Explorer
‎12-12-2017 12:52 AM

Is there an easy way of showing list of all used datamodels and with which are coming in (index, sourcetype)?
So far I can do a search on each datamodel and get the indexes, but this means I have to do this separately on every datamodel.

Tags (1)
Reply

edoardo_vicendo
Builder
‎02-24-2021 09:04 AM

Starting from @jaime_ramirez  solution I have added a portion of SPL to check whether or not your sourcetypes are going into which datamodels:

| datamodel
| rex field=_raw "\"modelName\"\s*\:\s*\"(?<modelName>[^\"]+)\""
| search NOT modelName IN (Splunk_CIM_Validation)
| fields modelName
| table modelName
| map maxsearches=40 search="tstats summariesonly=true count from datamodel=$modelName$ by sourcetype | eval modelName=\"$modelName$\""
| append [| search index=_internal source=*license_usage.log type="Usage" pool="herePutYourLicensePool"
  | eval sourcetype = st
  | stats count by sourcetype
  | eval modelName="removeit", count=0
  | fields sourcetype modelName count]
| xyseries sourcetype modelName count | fillnull value="N"
| fields - removeit

 

Reply

jaime_ramirez
Communicator
‎07-16-2019 03:53 PM

I found this way to be somewhat effective

| datamodel 
| rex field=_raw "\"modelName\"\s*\:\s*\"(?<modelName>[^\"]+)\"" 
| fields modelName 
| table modelName 
| map maxsearches=40 search="tstats `summariesonly` count from datamodel=$modelName$ by sourcetype,index | eval modelName=\"$modelName$\""
Tags (1)
Reply

TheDairyGuy
Explorer
‎06-23-2021 08:05 AM

Excellent!  I love it when someone provides working SPL that I can just copy and paste - and BOOM it gives me what I need.  Thank you!

Tags (2)
0 Karma
Reply

makeresults
Engager
‎08-13-2019 01:27 PM

Outstanding, Jaime. Thanks for sharing. Without any modification to your search, I was able to copy/paste and find the answer.

0 Karma
Reply

chris
Motivator
‎11-18-2019 11:17 PM

Worked for me thanks.

0 Karma
Reply

ecanmaster
Explorer
‎12-12-2017 05:25 AM

here is a way on how to do it, but you need to add all the datamodels manually:

| tstats `summariesonly` count from datamodel=datamodel1 by sourcetype,index 
| eval DM="Datamodel1" 
| append 
    [| tstats `summariesonly` count from datamodel=datamodel2 by sourcetype,index 
    | eval DM="datamodel2"] 
| append 
    [| tstats `summariesonly` count from datamodel=datamodel3 by sourcetype,index 
    | eval DM="datamodel3"]
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...