Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to design a data catalogue that captures all source types that are being ingested?

tirelana
Engager
‎03-30-2022 07:30 PM

I'm looking at designing a Splunk data catalogue that captures all source types (and metadata) that are currently being ingested, so that we can quickly see what the current state of the workspace. E.g. a customer who wants access to event X can use the catalogue to check that source type Y exists already. Has anyone done something similar to this or have suggestions? I'm quite new to Splunk but it seemed like it could be a common 'nice to have' for Splunk users. 

Thanks. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎03-30-2022 10:47 PM

Use this search:

| metadata type=sourcetypes index=*

(Timerange picker matters, so run it in the same timerange as what you would consider all the sourcetypes being included. like last 7 days or last 30 days)

 

| metadata type=sourcetypes index=* | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")

for additional formatting.

View solution in original post

Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎03-30-2022 10:47 PM

Use this search:

| metadata type=sourcetypes index=*

(Timerange picker matters, so run it in the same timerange as what you would consider all the sourcetypes being included. like last 7 days or last 30 days)

 

| metadata type=sourcetypes index=* | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")

for additional formatting.

Reply
Solved! Jump to solution

tirelana
Engager
‎03-30-2022 08:43 PM

Great thanks. I'll have a read through the docs. 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-30-2022 08:15 PM

Before you jump in and design one, take a look at TrackMe

https://splunkbase.splunk.com/app/4621/

I have written a data catalog that does similar to what you are looking to do, with the aim of being able to find out about data and ownerships. However, I think that TrackMe, with some additional dashboards that provide a query functionality onto what it captures would be pretty easy to do.

I believe there are other apps out there, but this one is open source and the dev is super helpful. 

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...