Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create a sourcetype to index map

Log_wrangler
Builder
‎12-29-2017 10:07 AM

I am exploring an unfamiliar Splunk Enterprise deployment.

Normally I use:

 |tstats values(sourcetype) WHERE index=* by index

to get a quick reference map of sourcetype to index, but it only shows a few indexes.... (4 total)

When I run; 

index=* |stats values(sourcetype) by index

I get more (24 total).

When I run:

|metadata type=sourcetypes index=*

I get sourcetypes but not index values in a column

Please advise what I might use to get a comprehensive list of indexes and sourcetypes.
Any explanation for the different results is much appreciated too.

Thank you

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-29-2017 10:13 AM

It's possible you have sourcetypes being changed at search time, which would result in different sourcetypes being indexed than shown at search time. Look in your props.conf for any mention of the rename configuration:

rename = <string>
* Renames [<sourcetype>] as <string> at search time
* With renaming, you can search for the [<sourcetype>] with
  sourcetype=<string>
* To search for the original source type without renaming it, use the
  field _sourcetype.
* Data from a a renamed sourcetype will only use the search-time
  configuration for the target sourcetype. Field extractions
  (REPORTS/EXTRACT) for this stanza sourcetype will be ignored.
* Defaults to empty.

You may try bin/splunk btool props list --debug | grep rename to get a quick "do I see this anywhere" answer.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-29-2017 10:13 AM

It's possible you have sourcetypes being changed at search time, which would result in different sourcetypes being indexed than shown at search time. Look in your props.conf for any mention of the rename configuration:

rename = <string>
* Renames [<sourcetype>] as <string> at search time
* With renaming, you can search for the [<sourcetype>] with
  sourcetype=<string>
* To search for the original source type without renaming it, use the
  field _sourcetype.
* Data from a a renamed sourcetype will only use the search-time
  configuration for the target sourcetype. Field extractions
  (REPORTS/EXTRACT) for this stanza sourcetype will be ignored.
* Defaults to empty.

You may try bin/splunk btool props list --debug | grep rename to get a quick "do I see this anywhere" answer.

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎12-29-2017 10:43 AM

Thank you for the reply. I will check the props.conf when I am granted access.

I can get by with 

index=* |stats values(sourcetype) by index

but I forgot how to write the code to count the number sourcetypes per index, (not the events per sourcetype)... any advice is greatly appreciated. I have multiple sourcetypes per index and at least 24 so far.

Thank you

Thank you

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎12-29-2017 10:57 AM

I came up with this
index=* |stats values(sourcetype) dc(sourcetype) by index

Please let me know if there is a better way...

to clarify I want to see a count unique sourcetypes per index, for example main has sourcetype A B C D E, so the count would be 5.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top