Solved: How to list all sourcetypes

ialahdal · ‎10-09-2019

I am trying to list all sourcetypes in an index using dc
Using index="test" | stats dc(sourcetype) as sourcetypesonly shows the total number of sourcetypes but does not list them individually.

richgalloway · ‎10-09-2019

To list them individually you must tell Splunk to do so.

index="test" | stats count by sourcetype

Alternative commands are

| metadata type=sourcetypes index=test

or

| tstats count where index=test by sourcetype

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-09-2019

To list them individually you must tell Splunk to do so.

index="test" | stats count by sourcetype

Alternative commands are

| metadata type=sourcetypes index=test

or

| tstats count where index=test by sourcetype

---
If this reply helps you, Karma would be appreciated.

ialahdal · ‎10-13-2019

What I was looking for is closer to index="test" | stats dc(sourcetype) by sourcetype

but thanks I was able to find this because of your answer.

How to list all sourcetypes

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services