Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Report to break down indexes, source types and hosts.

brent_weaver
Builder
‎05-05-2017 11:08 AM

I am trying to write a live data dictionary in splunk so I don't have to maintain a list of indices and source types and how they map to hosts. Hopefully this makes sense. I would like the user to be able to look at a dashboard that lays out the index, source type and host.

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎05-05-2017 11:34 AM

You could run this as a scheduled search:
| tstats values(host) as hosts where index=* groupby index,sourcetype | outputlookup splunk_data_catalog

Then create a report shared with all users that just has:
| inputlookup splunk_data_catalog

Make sure you create a splunk_data_catalog lookup definition that is also shared with all users.

View solution in original post

Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎05-05-2017 11:34 AM

You could run this as a scheduled search:
| tstats values(host) as hosts where index=* groupby index,sourcetype | outputlookup splunk_data_catalog

Then create a report shared with all users that just has:
| inputlookup splunk_data_catalog

Make sure you create a splunk_data_catalog lookup definition that is also shared with all users.

Reply
Solved! Jump to solution

alemarzu
Motivator
‎05-05-2017 11:39 AM

@mason query seems to be okey but I believe it lacks the .csv at the end of the file name to work.

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎05-05-2017 12:58 PM

It will work after you create the lookup definition. You can run the first query without the outputlookup, then export the file and upload it back to Splunk by going to Settings, Lookup Files, and add it there. Then go to Settings, Lookup Definitions, create a new one, name it whatever you like, then point it at the CSV you just uploaded. Share the new lookup definition, then try the inputlookup using the name of the lookup definition you defined.

0 Karma
Reply
Solved! Jump to solution

alemarzu
Motivator
‎05-08-2017 06:05 AM

I'm aware of that, I just wanted to mentioned it before Brent came up with an error running that query. Thank you for taking the time to explain though.

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎05-08-2017 10:18 AM

It would not produce an error. You may be thinking of the inputcsv and outputcsv commands, which I believe do require a .csv extension since they call a .csv file directly instead of a lookup definition.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎05-05-2017 11:14 AM

kindly use the | metadata command
https://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Metadata
here is another option using tstats for fast performance
| tstats values(sourcetype) where index=* by host

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎05-08-2017 10:19 AM

@brent_weaver just wanted to follow-up and see if you were able to get this working?

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎05-08-2017 10:19 AM

@brent_weaver just wanted to follow-up and see if you were able to get this working.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...