Getting Data In

How to find the list of indexes and source types in specific app?

gokikrishnan198
New Member

I have a different kind of access called ELEVATED ACCESS in splunk enterprise which is below the POWER USER but higher than the USER, with different apps installed. I have only one app in that. Is there a way to identify the list of available indexes and source types that is used in my app?

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

If you have access only to indexes under one app, then you can try

|tstats count by sourcetype where index=* |fields - count

If you need to list down app name as well, then probably need to use rest calls,for eg:

    | rest /servicesNS/-/-/data/indexes  | table title eai:acl.app

This might need additional permissions!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

If you have access only to indexes under one app, then you can try

|tstats count by sourcetype where index=* |fields - count

If you need to list down app name as well, then probably need to use rest calls,for eg:

    | rest /servicesNS/-/-/data/indexes  | table title eai:acl.app

This might need additional permissions!

View solution in original post

gokikrishnan198
New Member

I am able to get the few indexes from the code '|tstats count by sourcetype where index=* |fields - count' you gave. But I am unable to get the source types for the corresponding indexes. Can you help me on that part?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@gokikrishnan1982, if you just want all indexes and sourcetypes, try

|tstats count by index,sourcetype|fields - count
0 Karma

gokikrishnan198
New Member

Thank you. It worked.

0 Karma

adonio
SplunkTrust
SplunkTrust

what do you mean by "used by the app"? do you mean configured under this app e.g. props.conf and indexes.conf and maybe other files are in that app directory? or you refer to what knowledge objects / searches are in this app?
if it is ab RBAC question, an app has no "roles" access to indexes or apps or knowledge objects can be defined per role

0 Karma

gokikrishnan198
New Member

Our Client uses splunk. All the teams have their own app available in it. We are one of the team as well. In this situation, I could like to know the steps to identify the INDEX and SOURCETYPE?

0 Karma

gokikrishnan198
New Member

Can anybody help me on this?

0 Karma

adonio
SplunkTrust
SplunkTrust

@gokikrishnan1982,
sorry but i still not sure what exactly you are looking for.
what is the problem you are trying to solve?
if you are trying to figure out which sourcetypes and indexes are being used by an app, you first have to check the searches / knowledge objects that are under that app and see what sourcetypes and indexes they are running against.
please provide more context and detail so we can better assist you
also, see answer by @renjith.nair, maybe this is what you are looking for

0 Karma

gokikrishnan198
New Member

I am given an app to work within SPLUNK.
I have neither Power User nor ** User role*. Rather I have **Elevated User* role.
I would like to know the DataSummary from where the data is getting pulled.
I would like to know the list of available Indexes and SourceTypes that are used in my app.
Do we have any query to search that information? Please assist me on the same.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.