what command can i run if am not sure where an index for a data associated with a sourcetype is stored in splunk
there are several queries :for example sourcetype=Sample_sourcetype : 1-
| metadata type=sourcetypes | search sourcetype=Sample_sourcetype | table index, sourcetype
2-
| tstats count where sourcetype=Sample_sourcetype by index | table index
you could try:
index=* | stats values(sourcetype) as sourcetype by index | table index, sourcetype
this will provide all sourcetypes associated to their index, based on the timeframe given and if they contain event logs during that time frame.
Hi @whitecat001,
index=* sourcetype=your_sourcetype
in this way you can know which is the index.
Ciao.
Giuseppe
thank you
| tstats count where index=* by index, sourcetype
