How to create a lookup table for sourcetypes that ...

saifuddin9122 · ‎11-28-2016

Hi all

i have various number of sourcetypes. i want to create lookup table for all my sourcetypes. i want all my sourcetypes that are indexed and will be indexed into Splunk in a single lookup table.

can any one please let me know how can i do this??

Thanks,

ddrillic · ‎11-28-2016

Splunk itself issues the following - | metadata type=sourcetypes | search totalCount > 0. You can output it into the lookup...

Just for reference, as we spoke about the automatic invocation of this call at How to avoid the automatic invocation of a metadata search upon a user's launch of a dashboard?

vasanthmss · ‎11-28-2016

create a saved search with the below search query. and schedule it for required threshold like 1 hr / 1 day. rename the outputlookup name as per your requirement. (First run it for all time, then schedule it based on your above threshold).

Search :

|tstats  c where index=* sourcetype=* by index, sourcetype | fields - c | outputlookup index_sourcetype_lookup.csv

Run the search and confirm you want index / not? I have added sourcetype and index. if you dont like index remove it from group by.

Hope this will helps you!!!

V

How to create a lookup table for sourcetypes that are indexed into Splunk?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life