I have created tags in tags.conf inside my splunk app as below.
[index=index1]
app_index = enabled
[index=index2]
app_index = enabled
then i am using search query to get all the sourcetypes from my apps with tags as below
| metadata type=sourcetypes index=* | tags | search tag::index=app_index
But this query not working.
My understanding is since the value “index1” and “index2” was not there in type field, query got failed.
Is there need any change or alternative in my search query, Kindly help me on this,
Thanks
A very fast way to achieve this is to use tstats
. Try this search below:
|tstats count by sourcetype index| tags index outputfield=index_tag | where index_tag="app_index"
This will give you a table of sourcetypes within indexes. To further reduce to only sourcetypes, do this complete search:
|tstats count by sourcetype index | tags index outputfield=index_tag | where index_tag="app_index" | stats sum(count) as total_count by sourcetype
A very fast way to achieve this is to use tstats
. Try this search below:
|tstats count by sourcetype index| tags index outputfield=index_tag | where index_tag="app_index"
This will give you a table of sourcetypes within indexes. To further reduce to only sourcetypes, do this complete search:
|tstats count by sourcetype index | tags index outputfield=index_tag | where index_tag="app_index" | stats sum(count) as total_count by sourcetype
Hi ssujin,
I don't think that it's possible to use tags
with | metadata
because with this command you haven't all the fields of your events, but only total events, first event, last event and more recent event for each object you choose with your type (sourcetypes, hosts, sources), it's the same thing to run a search with |metasearch
.
To show all your tags, you have to run a search
index=* | dedup tag | table tag
Bye.
Giuseppe