Splunk Search

What is the fastest way to show all sources and sourcetypes in an index?

Jason
Motivator

I want a really quick view of the sources and sourcetypes in my data, say, over an entire index. I'd rather not wait for this to finish:

index="test" | stats count by sourcetype, source

Is there anything faster than stats? I don't care about the count, just the distinct sourcetypes and sources.

Labels (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

No problem. Just use the metadata command.

| metadata type=sourcetypes index="test" 

and

| metadata type=sources index="test" 

Note that this only works for sources, sourcetypes and hosts. It wont work for any other field even if it's an index-time field.

http://www.splunk.com/base/Documentation/latest/SearchReference/Metadata

The only other thing to say about it is that if you want to see the host tags (or source/sourcetype tags), you have to pipe the metadata output through the tags command.

| metadata type=hosts index="test" | tags

hope that helps.

View solution in original post

Lowell
Super Champion
| tstats dc(host) as hosts, dc(sourcetype) as sourcetypes where index="test"

duartet
Path Finder

that just gives you the countage of hosts and sourcetypes, it's different from what was requested by the user. However it can be an interesting command

0 Karma

sideview
SplunkTrust
SplunkTrust

No problem. Just use the metadata command.

| metadata type=sourcetypes index="test" 

and

| metadata type=sources index="test" 

Note that this only works for sources, sourcetypes and hosts. It wont work for any other field even if it's an index-time field.

http://www.splunk.com/base/Documentation/latest/SearchReference/Metadata

The only other thing to say about it is that if you want to see the host tags (or source/sourcetype tags), you have to pipe the metadata output through the tags command.

| metadata type=hosts index="test" | tags

hope that helps.

helge
Builder

Excellent, thank you!

0 Karma

ma_anand1984
Contributor

@sideview

|metadata type=sourcetypes index=* gives list of all sourcetypes but its not listing index field, though it lists type field. Any way i can get list of index and sourcetypes for all index in a faster way?

jagadeeshm
Contributor

did you ever get an answer for this?

0 Karma

fredclown
Contributor

This works for the raw data ... meaning so long as you aren't doing sourcetype renaming at search time. Tstats only looks at the raw data so it cannot see anything that happens search time.

Sourcetype

| tstats count where index=* OR index=_* by index, sourcetype
| fields - count
| sort index

Source

| tstats count where index=* OR index=_* by index, source
| fields - count
| sort index
Tags (1)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...