Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I count the number of sourcetypes being collected for specific indexes and hosts?

a212830
Champion
‎08-12-2015 07:26 AM

Hi,

I need to run a report for specific indexes and hosts that show the number of sourcetypes being collected for a specific time frame. How would I do that?

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎08-12-2015 08:01 AM

If you're on Splunk 6.1 OR above, we have very fast, sorry, lightening fast method to get this information using "tstats" command.

Sample usage

| tstats count WHERE index=* by index, host, sourcetype

For count of sourcetypes

 | tstats dc(sourcetype) as sourcetypes WHERE index=* by index, host
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-12-2015 08:05 AM

That counts the number of events by sourcetype. I believe the OP was looking for a count of sourcetypes.

---
If this reply helps you, Karma would be appreciated.
Reply

somesoni2
SplunkTrust
SplunkTrust
‎08-12-2015 08:11 AM

Oops, updated the search to meet that requirement.

0 Karma
Reply

maciep
Champion
‎08-12-2015 07:54 AM

You might want to use tstats for that....something like

| tstats count where index=blah (host=somehost OR host=someotherhost OR host=something*) by sourcetype

Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-12-2015 07:42 AM

There are probably a few ways to do that, depending on your data and how many indexes and hosts you want in the report. For example,

index=* | stats dc(sourcetype) as SourceTypes by index,host | table index host SourceTypes

will report the number of sourcetypes for all indexes and hosts. You can limit the results by adding to the base search

(index=foo OR index=bar) (host=system1 OR host=system2) | ...
---
If this reply helps you, Karma would be appreciated.
Reply

treinke
Builder
‎08-12-2015 07:34 AM

Are you going to define the indexes and host? Are you saying show me the sourcetypes for index=A OR index=B and host=AA Or host=BB? Or are you looking for in the last 60 minutes show me all of the indexes getting data by any host and then also show me the sourcetypes that were logged?

There are no answer without questions
0 Karma
Reply

a212830
Champion
‎08-12-2015 08:31 AM

yes, index=euc* host=lync*

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...