Hi
I am looking for a way to get the number of events from host=ALL with sourcetype=tps. However it looks like i can't.
I am looking to display all the host that have a TPS sourcetypes. However the below search is giving me all the events for every sourcetype. Can i refine the search? in bold below is not having any impact
| metadata type=hosts index=mlc_log_drop sourcetype=tps | search host=* | rename host as log_drop_name | lookup PROJECT_GROUPINGS.csv log_drop_name OUTPUTNEW project | stats first(recentTime) as time, max(project) as project, first(totalCount) as total_events by log_drop_name | rename total_events as TPS_Events | eval TPS_Events=tostring(TPS_Events, "commas")| sort -time | fieldformat time = strftime(time,"%a, %d %b %Y %H:%M:%S") | head 5001
https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Metadata
if you're filtering type=host, you cannot search for sourcetype=tps, as metadata only brings back a host column.