Query to list index name sourcetype for 100+ hosts...

manchou0709

Hi everyone,

I am trying to find out index name , sourcetype for 100+ (128) hosts. Since I am working in a multisite cluster where all 3 SH can communicate with each other, I am trying to avoid using index=*
I have tried below queries but none works -

| metadata type=hosts | search host IN ("host1","host2","host3") | rename _meta_index as index | join host index [ | stats values(sourcetype) as sourcetype by host index ]

| tstats count where host IN (host1, host2, host3,.. hostn) by index sourcetype

as well as stats query none works.

Please help!

ITWhisperer

In what way do they not work? Please can you be more specific about your issue.

Having said that, multi-value fields from stats are often truncated to 100 entries. You could try adding

limit=128

or even

limit=0

bowesmana

@ITWhisperer MV from stats values() has no limit, but stats list() does have the 100 limit...

Have you ever seen values get truncated?

Query to list index name sourcetype for 100+ hosts using IN command

join

metadata

tstats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation