Splunk Search

How to edit my search to find the sources from soucetype?

Path Finder

Hi,

I am using the following search | metadata type=sourcetype| where match(sources) to find all the sources that a particular sourcetype has. Can someone please help in the correcting the search?

0 Karma

Path Finder

Try
| metadata type=sources sourcetype=*

0 Karma

Esteemed Legend

You need another s for starters but you cannot do what you are trying to do with the command that you are trying to use. See what I mean with these:

| metadata type=sources index=* OR index=_*
| metadata type=sourcetypes index=* OR index=_*

But you can do it with tstats like this:

  | tstats values(source) WHERE index=* OR index=_* BY sourcetype
0 Karma

SplunkTrust
SplunkTrust

Hi kteng2024, You might find tstats would work better here. i.e.

| tstats count where sourcetype=YOUR_SOURCETYPE by source

This will give you a list sources for that sourcetype. It should be fairly quick to run over large timeframes.

Please let me know if this answers your question! 😄

Revered Legend

If you're collecting data for all sourcetypes then use this variation.

| tstats max(_time) as recentTime where index=* by sourcetype source
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!