Hi,
I want to build a dashboard and list all the sourcetypes for an app (e.g. search or splunk_TA_nix). In the settings (Splunk 6.3), I can find a list of sourcetypes and the related apps.
Can somebody tell me what kind of search is this list based on?
I thought about
| rest services/data/
but there are no sourcetypes.
Thank you
You can use the following query but I don't think you are going to be able to filter by app:
| metadata type=sourcetypes
| table sourcetype
You can specify the index name and return all the sourcetypes for that particular index, but filtering by app it's a different question. If you name all those sourcetypes within the name with a similar pattern, something like "Foo_MyAppName" then it's very easy to filter by that later on, but otherwise I'm not sure.
You can use the following query but I don't think you are going to be able to filter by app:
| metadata type=sourcetypes
| table sourcetype
You can specify the index name and return all the sourcetypes for that particular index, but filtering by app it's a different question. If you name all those sourcetypes within the name with a similar pattern, something like "Foo_MyAppName" then it's very easy to filter by that later on, but otherwise I'm not sure.
I did manage to get to the following URI by capturing the HTTP traffic from the Settings menu you indicated before:
http://localhost:8000/en-GB/splunkd/__raw/services/saved/sourcetypes?output_mode=json&count=1000
After that deducing the following query was simple enough:
| rest /services/saved/sourcetypes
| fields title, "eai:acl.app"
| rename title AS sourcetype, "eai:acl.app" AS app_name
Let me know if that helps.
just what I was looking for, thanks.
Please keep in mind that following endpoint returns dozens of fields so you want to take a look at the full output first before filtering out those fields you think you are going to need:
| rest /services/saved/sourcetypes
Thank you very much. This worked for me.
|rest /services/saved/sourcetypes
|fields title, "eai:acl.app"
|rename title AS sourcetype, "eai:acl.app" AS app_name
Thank you for your answer, but thats not quite what I am looking for.
It should look like the list "source types" in the settings. There have to be a search in the background of that list,
does anybody know what this search could look like?
Thanks