I want a really quick view of the sources and sourcetypes in my data, say, over an entire index. I'd rather not wait for this to finish:
index="test" | stats count by sourcetype, source
Is there anything faster than stats? I don't care about the count, just the distinct sourcetypes and sources.
No problem. Just use the metadata command.
| metadata type=sourcetypes index="test"
| metadata type=sources index="test"
Note that this only works for sources, sourcetypes and hosts. It wont work for any other field even if it's an index-time field.
The only other thing to say about it is that if you want to see the host tags (or source/sourcetype tags), you have to pipe the metadata output through the tags command.
| metadata type=hosts index="test" | tags
hope that helps.
|metadata type=sourcetypes index=* gives list of all sourcetypes but its not listing index field, though it lists type field. Any way i can get list of index and sourcetypes for all index in a faster way?
that just gives you the countage of hosts and sourcetypes, it's different from what was requested by the user. However it can be an interesting command