Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I count the number of sourcetypes being collected for specific indexes and hosts?

a212830
Champion
‎08-12-2015 07:26 AM

Hi,

I need to run a report for specific indexes and hosts that show the number of sourcetypes being collected for a specific time frame. How would I do that?

0 Karma
Reply

somesoni2
Revered Legend
‎08-12-2015 08:01 AM

If you're on Splunk 6.1 OR above, we have very fast, sorry, lightening fast method to get this information using "tstats" command.

Sample usage

| tstats count WHERE index=* by index, host, sourcetype

For count of sourcetypes

 | tstats dc(sourcetype) as sourcetypes WHERE index=* by index, host
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-12-2015 08:05 AM

That counts the number of events by sourcetype. I believe the OP was looking for a count of sourcetypes.

---
If this reply helps you, Karma would be appreciated.
Reply

somesoni2
Revered Legend
‎08-12-2015 08:11 AM

Oops, updated the search to meet that requirement.

0 Karma
Reply

maciep
Champion
‎08-12-2015 07:54 AM

You might want to use tstats for that....something like

| tstats count where index=blah (host=somehost OR host=someotherhost OR host=something*) by sourcetype

Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-12-2015 07:42 AM

There are probably a few ways to do that, depending on your data and how many indexes and hosts you want in the report. For example,

index=* | stats dc(sourcetype) as SourceTypes by index,host | table index host SourceTypes

will report the number of sourcetypes for all indexes and hosts. You can limit the results by adding to the base search

(index=foo OR index=bar) (host=system1 OR host=system2) | ...
---
If this reply helps you, Karma would be appreciated.
Reply

treinke
Builder
‎08-12-2015 07:34 AM

Are you going to define the indexes and host? Are you saying show me the sourcetypes for index=A OR index=B and host=AA Or host=BB? Or are you looking for in the last 60 minutes show me all of the indexes getting data by any host and then also show me the sourcetypes that were logged?

There are no answer without questions
0 Karma
Reply

a212830
Champion
‎08-12-2015 08:31 AM

yes, index=euc* host=lync*

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...