Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search a list of sourcetypes by index and save it as a dashboard panel?

athorat
Communicator
‎10-07-2015 12:38 PM

I need to get the list of Sourcetypes by Index in a Dashboard.

I got this search from Splunk forums which gives the list, but the index name is listed for all sourcetypes. I need to group by Index. Also, when I save this as a dashboard panel, it never shows any data.

Report works fine. Any other way/search to get the data from _internal indexes?

Search:

| eventcount summarize=false index=* index=_* | dedup index | fields index 
 | map maxsearches=100 search="|metadata type=sourcetypes index=\"$index$\" | eval index=\"$index$\""
 | fields index sourcetype

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎10-07-2015 05:47 PM

Hi athorat,

just learned this week that tstats is the perfect command for this, because it is super fast. So take this example:

| tstats count WHERE index=* OR sourcetype=* by index,sourcetype | stats values(sourcetype) AS sourcetypes by index

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

Micheal_S
Path Finder
‎06-21-2021 07:13 AM

To expand on some of the other answers. I ran into errors with tstats when trying to go back more than a few days on the time picker. I figured this was due to memory required for the events it was pulling back. I went with the eventcount method I saw in other posts. I was working on something similar, but found that the search didn't list empty indexes. To incorporate empty indexes I used: 

 

| eventcount summarize=false index=* 
| search NOT index IN ( <indexes you don't want to include> )
| dedup index 
| fields index
| map maxsearches=100 search="|metadata type=sourcetypes index=\"$index$\" | eval index=\"$index$\""
| fields index sourcetype 
| append [| eventcount summarize=false index=* 
| search NOT index IN (
<indexes you don't want to include>
)
| dedup index 
| fields index] 
| fillnull value="No Known SourceTypes" 
|  stats count as mc values(sourcetype) as sourcetype by index 
| stats count values(mc) as mc by index sourcetype
| eval sourcetype = if(sourcetype=="No Known SourceTypes" AND mc>1, NULL,sourcetype) 
| dedup index sourcetype 
| fields index sourcetype

 

If you want to group the results by index you can append a stats command to the search like:

 

<base search> | stats values(sourcetype) as sourcetype by index

 

 

0 Karma
Reply
Solved! Jump to solution

Lasse72
Engager
‎08-24-2018 05:51 AM

Maybe the cleanest (fastest) way?

|tstats values(sourcetype) by index

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎10-07-2015 05:47 PM

Hi athorat,

just learned this week that tstats is the perfect command for this, because it is super fast. So take this example:

| tstats count WHERE index=* OR sourcetype=* by index,sourcetype | stats values(sourcetype) AS sourcetypes by index

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

ssubhani
Explorer
‎02-17-2021 05:56 AM

Thanks a lot . It really helped me as well . I was trying to do it with stats but tstats is much better .

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-07-2015 03:47 PM

Try this:

| metadata type=sourcetypes index=*  | stats values(sourcetypes) by index
0 Karma
Reply
Solved! Jump to solution

athorat
Communicator
‎10-07-2015 05:13 PM

Thanks for the reply @woodcock
Does not return any results for me.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...