Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search to find the sources from soucetype?

kteng2024
Path Finder
‎03-13-2017 11:44 AM

Hi,

I am using the following search | metadata type=sourcetype| where match(sources) to find all the sources that a particular sourcetype has. Can someone please help in the correcting the search?

0 Karma
Reply

mgrosholz
Path Finder
‎03-14-2017 06:19 AM

Try
| metadata type=sources sourcetype=*

0 Karma
Reply

woodcock
Esteemed Legend
‎03-13-2017 12:05 PM

You need another s for starters but you cannot do what you are trying to do with the command that you are trying to use. See what I mean with these:

| metadata type=sources index=* OR index=_*
| metadata type=sourcetypes index=* OR index=_*

But you can do it with tstats like this:

  | tstats values(source) WHERE index=* OR index=_* BY sourcetype
0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎03-13-2017 11:57 AM

Hi kteng2024, You might find tstats would work better here. i.e.

| tstats count where sourcetype=YOUR_SOURCETYPE by source

This will give you a list sources for that sourcetype. It should be fairly quick to run over large timeframes.

Please let me know if this answers your question! 😄

Reply

somesoni2
Revered Legend
‎03-13-2017 12:05 PM

If you're collecting data for all sourcetypes then use this variation.

| tstats max(_time) as recentTime where index=* by sourcetype source
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...