To expand on some of the other answers. I ran into errors with tstats when trying to go back more than a few days on the time picker. I figured this was due to memory required for the events it was pulling back. I went with the eventcount method I saw in other posts. I was working on something similar, but found that the search didn't list empty indexes. To incorporate empty indexes I used:    | eventcount summarize=false index=* | search NOT index IN ( <indexes you don't want to include> ) | dedup index | fields index | map maxsearches=100 search="|metadata type=sourcetypes index=\"$index$\" | eval index=\"$index$\"" | fields index sourcetype | append [| eventcount summarize=false index=* | search NOT index IN ( <indexes you don't want to include> ) | dedup index | fields index] | fillnull value="No Known SourceTypes" | stats count as mc values(sourcetype) as sourcetype by index | stats count values(mc) as mc by index sourcetype | eval sourcetype = if(sourcetype=="No Known SourceTypes" AND mc>1, NULL,sourcetype) | dedup index sourcetype | fields index sourcetype   If you want to group the results by index you can append a stats command to the search like:   <base search> | stats values(sourcetype) as sourcetype by index     ... View more