This question has a lot of discussion that's similar to your problem. From that, I think the following query will do what you want. | tstats count values(sourcetype) WHERE index=* BY index Don't forget about the metadata command - that's another good one to see the latest event received by sourcetype and other ingest monitoring information.
... View more