Reporting

How can I get a list of indexes, the source types for the indexes, and the sources for the source types, and be able to select the index as a dropdown?

nls7010
Path Finder

I am able to get a list of indexes and their source types using | metadata type=sources index=* sourcetype=* ||dedup source, but I want to add the source types to the list and be able to pick the index from a drop-down so that I get only the source types and sources for a particular index.

Tags (1)
0 Karma
1 Solution

nls7010
Path Finder

Got it going, it was just a matter of my time span.

View solution in original post

0 Karma

nls7010
Path Finder

Got it going, it was just a matter of my time span.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@nls7010, if it works , please accept answer or let us know in case of further issues

Happy Splunking!
0 Karma

nls7010
Path Finder

Thank you for the guide below, but oddly even when I added the dropdown it's not affecting the search. This is one Panel in a dashboard, do I have to do something different to make it work there?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Hi @nls7010,
Try this ,

|tstats count by index,source,sourcetype|fields - count

if you have the index selected, then you could filter by

    |tstats count  where index=your_selected_index by source,sourcetype|fields - count
Happy Splunking!

jkat54
SplunkTrust
SplunkTrust

Do this tstats search in the UI like the other answer shows.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Try this search over a time window long enough to get all of the possible indexes, sources, and sourcetypes. Save it to a dashboard panel:

index=* | stats count by index sourcetype source

Add a dropdown input to your dashboard with this configuration:
alt text
alt text

Click on the magnifying glass at the top of your dashboard panel when in Edit mode to edit the search. Modify the search to use your token for the index value:

index=$myindex$ | stats count by index sourcetype source 
0 Karma

nls7010
Path Finder

Thank you all for your replies. I was able to get it to work as above.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...