How to write a query required for checking all sou...

sanket4147 · ‎05-11-2022

Hi Team,

We are using Splunk Enterprise SIEM tool. we want to check all the source type which is configured for all alert/dashboard/report . As we have searched and tried with below query but it is not showing expected result which we want.

index="*" | stats count by source type

We want to check all source type which is configured under the all reports or all dashboards or all alerts.

if you can give me 3 different query for this then it is also fine we are not required all this in one query.

Could you please suggest and help us for this .

Regards,

Sanket Kaware

PickleRick · ‎05-11-2022

I'm not really sure what you want to achieve.

The fastest way to get metadata for events is... the metadata command 🙂 For example

| metadata type=sourcetypes index=*

Unfortunately, it will not break the data into separate indexes or hosts.

If you want to make statistics on your own, you can use tstats (don't use stats for it! tstats is way way faster than stats). For example

| tstats count where index=* by host

or

| tstats count where index=* by sources sourcetypes

Don't forget to adjust your timerange picker!

How to write a query required for checking all sourcetype which is configured for alert/report/dashboard

field extraction

stats

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life