Reporting

How can I get a list of indexes, the source types for the indexes, and the sources for the source types, and be able to select the index as a dropdown?

nls7010
Path Finder

I am able to get a list of indexes and their source types using | metadata type=sources index=* sourcetype=* ||dedup source, but I want to add the source types to the list and be able to pick the index from a drop-down so that I get only the source types and sources for a particular index.

Tags (1)
0 Karma
1 Solution

nls7010
Path Finder

Got it going, it was just a matter of my time span.

View solution in original post

0 Karma

nls7010
Path Finder

Got it going, it was just a matter of my time span.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@nls7010, if it works , please accept answer or let us know in case of further issues

Happy Splunking!
0 Karma

nls7010
Path Finder

Thank you for the guide below, but oddly even when I added the dropdown it's not affecting the search. This is one Panel in a dashboard, do I have to do something different to make it work there?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Hi @nls7010,
Try this ,

|tstats count by index,source,sourcetype|fields - count

if you have the index selected, then you could filter by

    |tstats count  where index=your_selected_index by source,sourcetype|fields - count
Happy Splunking!

jkat54
SplunkTrust
SplunkTrust

Do this tstats search in the UI like the other answer shows.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Try this search over a time window long enough to get all of the possible indexes, sources, and sourcetypes. Save it to a dashboard panel:

index=* | stats count by index sourcetype source

Add a dropdown input to your dashboard with this configuration:
alt text
alt text

Click on the magnifying glass at the top of your dashboard panel when in Edit mode to edit the search. Modify the search to use your token for the index value:

index=$myindex$ | stats count by index sourcetype source 

nls7010
Path Finder

Thank you all for your replies. I was able to get it to work as above.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...