Re: How do you list Index, sourcetype and source u...

harshal_chakran · ‎03-06-2019

Hi,

I am working to list all the index with underlying sourcetypes and sources in it.

For which I am currently using the following command to run All Time

| tstats values(source) as source where index = * by index, sourcetype

The problem is that I have to run this search in the all time range, which is a heavy load and slow too.

Is there any |rest command to get results in much faster or any other command where I don't have to run search with an all time duration?

Thanks in advance.

lakshman239 · ‎03-06-2019

Did you try with summariesonly?

 | tstats `summariesonly` values(source) as source where index = * groupby index, sourcetype

harshal_chakran · ‎03-06-2019

Hi,
cannot find such macro ´summariesonly´.

Ran this search though
| tstats summariesonly=true values(source) as source where index = * groupby index, sourcetype

However, the problem is the same, that I have to run it all time to get all results.
Looking for more like a rest command, so can run for last 15 mins, etc.

lakshman239 · ‎03-06-2019

´summariesonly´ is in SA-Utils, but same as what you have now. tstats does support the search to run for last 15mins/60 mins, if that helps.

not sure if there is a direct rest api. One option would be to pull all indexes using rest and then use that on tstats, perhaps?

|rest /services/data/indexes | table title

harshal_chakran · ‎03-06-2019

Don't know why, but I have to select "all time" to get all index, sourcetype and source mapping using tstats command

How do you list Index, sourcetype and source using the REST command?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies