I am working to list all the index with underlying sourcetypes and sources in it.
For which I am currently using the following command to run All Time
| tstats values(source) as source where index = * by index, sourcetype
The problem is that I have to run this search in the all time range, which is a heavy load and slow too.
Is there any
|rest command to get results in much faster or any other command where I don't have to run search with an all time duration?
Thanks in advance.
cannot find such macro ´summariesonly´.
Ran this search though
| tstats summariesonly=true values(source) as source where index = * groupby index, sourcetype
However, the problem is the same, that I have to run it all time to get all results.
Looking for more like a rest command, so can run for last 15 mins, etc.
´summariesonly´ is in SA-Utils, but same as what you have now. tstats does support the search to run for last 15mins/60 mins, if that helps. not sure if there is a direct rest api. One option would be to pull all indexes using rest and then use that on tstats, perhaps? |rest /services/data/indexes | table title