Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Create a sourcetype to index map
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am exploring an unfamiliar Splunk Enterprise deployment.
Normally I use:
|tstats values(sourcetype) WHERE index=* by index
to get a quick reference map of sourcetype to index, but it only shows a few indexes.... (4 total)
When I run;
index=* |stats values(sourcetype) by index
I get more (24 total).
When I run:
|metadata type=sourcetypes index=*
I get sourcetypes but not index values in a column
Please advise what I might use to get a comprehensive list of indexes and sourcetypes.
Any explanation for the different results is much appreciated too.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's possible you have sourcetypes being changed at search time, which would result in different sourcetypes being indexed than shown at search time. Look in your props.conf for any mention of the rename configuration:
rename = <string>
* Renames [<sourcetype>] as <string> at search time
* With renaming, you can search for the [<sourcetype>] with
sourcetype=<string>
* To search for the original source type without renaming it, use the
field _sourcetype.
* Data from a a renamed sourcetype will only use the search-time
configuration for the target sourcetype. Field extractions
(REPORTS/EXTRACT) for this stanza sourcetype will be ignored.
* Defaults to empty.
You may try bin/splunk btool props list --debug | grep rename to get a quick "do I see this anywhere" answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's possible you have sourcetypes being changed at search time, which would result in different sourcetypes being indexed than shown at search time. Look in your props.conf for any mention of the rename configuration:
rename = <string>
* Renames [<sourcetype>] as <string> at search time
* With renaming, you can search for the [<sourcetype>] with
sourcetype=<string>
* To search for the original source type without renaming it, use the
field _sourcetype.
* Data from a a renamed sourcetype will only use the search-time
configuration for the target sourcetype. Field extractions
(REPORTS/EXTRACT) for this stanza sourcetype will be ignored.
* Defaults to empty.
You may try bin/splunk btool props list --debug | grep rename to get a quick "do I see this anywhere" answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply. I will check the props.conf when I am granted access.
I can get by with
index=* |stats values(sourcetype) by index
but I forgot how to write the code to count the number sourcetypes per index, (not the events per sourcetype)... any advice is greatly appreciated. I have multiple sourcetypes per index and at least 24 so far.
Thank you
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I came up with this
index=* |stats values(sourcetype) dc(sourcetype) by index
Please let me know if there is a better way...
to clarify I want to see a count unique sourcetypes per index, for example main has sourcetype A B C D E, so the count would be 5.
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
