I want to build a dashboard and list all the sourcetypes for an app (e.g. search or splunkTAnix). In the settings (Splunk 6.3), I can find a list of sourcetypes and the related apps.
Can somebody tell me what kind of search is this list based on?
I thought about
| rest services/data/
but there are no sourcetypes.
You can use the following query but I don't think you are going to be able to filter by app:
| metadata type=sourcetypes | table sourcetype
You can specify the index name and return all the sourcetypes for that particular index, but filtering by app it's a different question. If you name all those sourcetypes within the name with a similar pattern, something like "Foo_MyAppName" then it's very easy to filter by that later on, but otherwise I'm not sure.
Thank you for your answer, but thats not quite what I am looking for.
It should look like the list "source types" in the settings. There have to be a search in the background of that list,
does anybody know what this search could look like?
I did manage to get to the following URI by capturing the HTTP traffic from the Settings menu you indicated before:
After that deducing the following query was simple enough:
| rest /services/saved/sourcetypes | fields title, "eai:acl.app" | rename title AS sourcetype, "eai:acl.app" AS app_name
Let me know if that helps.
Please keep in mind that following endpoint returns dozens of fields so you want to take a look at the full output first before filtering out those fields you think you are going to need:
| rest /services/saved/sourcetypes
Thank you very much. This worked for me.
|rest /services/saved/sourcetypes |fields title, "eai:acl.app" |rename title AS sourcetype, "eai:acl.app" AS app_name