Solved: Re: How to search a list of sourcetypes by index a...

athorat · ‎10-07-2015

I need to get the list of Sourcetypes by Index in a Dashboard.

I got this search from Splunk forums which gives the list, but the index name is listed for all sourcetypes. I need to group by Index. Also, when I save this as a dashboard panel, it never shows any data.

Report works fine. Any other way/search to get the data from _internal indexes?

Search:

| eventcount summarize=false index=* index=_* | dedup index | fields index 
 | map maxsearches=100 search="|metadata type=sourcetypes index=\"$index$\" | eval index=\"$index$\""
 | fields index sourcetype

Thanks.

MuS · ‎10-07-2015

Hi athorat,

just learned this week that tstats is the perfect command for this, because it is super fast. So take this example:

| tstats count WHERE index=* OR sourcetype=* by index,sourcetype | stats values(sourcetype) AS sourcetypes by index

Hope this helps ...

cheers, MuS

View solution in original post

Micheal_S · ‎06-21-2021

To expand on some of the other answers. I ran into errors with tstats when trying to go back more than a few days on the time picker. I figured this was due to memory required for the events it was pulling back. I went with the eventcount method I saw in other posts. I was working on something similar, but found that the search didn't list empty indexes. To incorporate empty indexes I used:

| eventcount summarize=false index=* 
| search NOT index IN ( <indexes you don't want to include> )
| dedup index 
| fields index
| map maxsearches=100 search="|metadata type=sourcetypes index=\"$index$\" | eval index=\"$index$\""
| fields index sourcetype 
| append [| eventcount summarize=false index=* 
| search NOT index IN (
<indexes you don't want to include>
)
| dedup index 
| fields index] 
| fillnull value="No Known SourceTypes" 
|  stats count as mc values(sourcetype) as sourcetype by index 
| stats count values(mc) as mc by index sourcetype
| eval sourcetype = if(sourcetype=="No Known SourceTypes" AND mc>1, NULL,sourcetype) 
| dedup index sourcetype 
| fields index sourcetype

If you want to group the results by index you can append a stats command to the search like:

<base search> | stats values(sourcetype) as sourcetype by index

Lasse72 · ‎08-24-2018

Maybe the cleanest (fastest) way?

|tstats values(sourcetype) by index

MuS · ‎10-07-2015

Hi athorat,

just learned this week that tstats is the perfect command for this, because it is super fast. So take this example:

| tstats count WHERE index=* OR sourcetype=* by index,sourcetype | stats values(sourcetype) AS sourcetypes by index

Hope this helps ...

cheers, MuS

ssubhani · ‎02-17-2021

Thanks a lot . It really helped me as well . I was trying to do it with stats but tstats is much better .

woodcock · ‎10-07-2015

Try this:

| metadata type=sourcetypes index=*  | stats values(sourcetypes) by index

athorat · ‎10-07-2015

Thanks for the reply @woodcock
Does not return any results for me.

How to search a list of sourcetypes by index and save it as a dashboard panel?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms