Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

non searchable sourcetypes

sverdhan
Loves-to-Learn Lots
‎09-26-2024 12:12 AM

Hello All,

I am looking for a query that can provide me with a list of sourcetypes that have not been searched .Kindly suggest.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-26-2024 01:43 AM

Actually, that's a problem which does not have a precise solution. Short of re-running the search and checking what kind of sourcetypes are returned (and even then it's not 100% sure because you can have some random aspects of the search) there's no way of knowing what sourcetypes were searched in general case.

So everything you infer from your searches will only be some kind of heuristics - it will give you some probable overview of your searches results but short of recording access to each single event (which obviously Splunk does not do) there's no way of knowing which particular events/metric points were accessed and subsequently what were their metadata values.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-26-2024 12:21 AM

"non searchable" is not the same as "have not been searched"

The problem with this sort of search is that Splunk is not good at finding things which aren't there! You could search through the internal logs to see what searches have been executed and extract from that which sourcetypes have been specified. This would give you a list of sourcetypes which have been searched specifically, but if sourcetype is not used in the search, all sourcetypes for the index specified could be searched, so do you want to include those as having been searched or say that they haven't been searched? Anyway, having got a list of sourcetypes which have been searched, you should compare this to a list of all sourcetypes to determine which ones "have not been searched" (given the caveats just mentioned).

0 Karma
Reply

sverdhan
Loves-to-Learn Lots
‎09-26-2024 12:30 AM

Thank you for your prompt reply ..

Actually , I am having this search which lists the sourcetypes that have not been searched , but it is not very accurate so it might contain sourcetypes that are still searchable :

index=_audit action=search info=granted | eval _raw=search | eval _raw=mvindex(split(_raw,"|"),0) | table _raw | extract | stats count by sourcetype | eval hasBeenSearched=1 | append [| metadata index=* type="sourcetypes" | eval hasBeenSearched="0"] | stats max(hasBeenSearched) as hasBeenSearched by sourcetype | search hasBeenSearched="0"

So, I created a lookup into which I have put the sourcetypes that have been searched...I was thinking to reference this lookup  in the above mentioned query so that it could remove the sourcetypes that are searchable .. But the query is not giving me results . Can you please check where should i Adjust those commands related to referencing that lookup ..

here is how I have used the query, but the results are not coming:

index=_audit action=search info=granted | eval _raw=search | eval _raw=mvindex(split(_raw,"|"),0) | table _raw | extract | stats count by sourcetype | eval hasBeenSearched=1 | append [| metadata index=* type="sourcetypes" | eval hasBeenSearched="0"] | stats max(hasBeenSearched) as hasBeenSearched by sourcetype| search NOT [inputlookup sourcetypes_1.csv | fields sourcetype] | search hasBeenSearched="0"
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-26-2024 01:18 AM

What was the search you used to populate sourcetypes_1.csv?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...