Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do write a search to list all indexes associated with a sourcetype?

hkj2332
New Member
‎10-01-2015 12:29 PM

I have no trouble listing all the sourcetypes associated with an index, but I need to go the other way - What are all the indexes for a given sourcetype. The search I started with for this is:

index=* OR index=_* sourcetype= SourceTypeName | dedup index | table index

However, this is very slow (not a surprise), and, more a concern, not returning all the indexes that use that sourcetype.

Is there a faster search I can use to do this and not miss associated indices?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-01-2015 03:46 PM

Another faster method availabe 6.1 onward Splunk versions is tstats. Try something like this

| tstats count WHERE index=* sourcetype=* by index, sourcetype | fields - count

I've seen it run much faster then metasearch.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-01-2015 03:46 PM

Another faster method availabe 6.1 onward Splunk versions is tstats. Try something like this

| tstats count WHERE index=* sourcetype=* by index, sourcetype | fields - count

I've seen it run much faster then metasearch.

Reply
Solved! Jump to solution

hkj2332
New Member
‎10-02-2015 05:17 AM

Just tried tstats - way faster. Thanks!

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-01-2015 12:59 PM

Hi hkl2332,

much faster to use metasearch as it search only in the metadata of the specified indexes:

| metasearch index=* sourcetype=* | stats count by index, sourcetype | fields - count

See the docs http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Metasearch for more details.

cheers, MuS

Reply
Solved! Jump to solution

hkj2332
New Member
‎10-01-2015 01:07 PM

That'll get me a list of all the sourcetypes - any idea how to also get the indices that use that sourcetype in the resulting table?

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-01-2015 01:24 PM

Oh sorry my bad 🙂 mess up metadata and metasearch so see my updated answer 😉

0 Karma
Reply
Solved! Jump to solution

hkj2332
New Member
‎10-01-2015 01:28 PM

Oh, of course... Thanks!!! I've run this search before, but for some reason I was totally forgetting I can order by EITHER column. Thank you!

0 Karma
Reply
Solved! Jump to solution

jagadeeshm
Contributor
‎01-25-2017 03:17 PM

@MuS - Is there anyway to get this working in dependent of time?

I want to list ALL index and the sourcetype.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎01-26-2017 03:06 PM

@jagadeeshm you can run a tstats search 

 | tstats count where index=* by sourcetype, index, _time | timechart sum(count) AS count by index
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...