How to edit my search to find the sources from sou...

kteng2024 · ‎03-13-2017

Hi,

I am using the following search | metadata type=sourcetype| where match(sources) to find all the sources that a particular sourcetype has. Can someone please help in the correcting the search?

mgrosholz · ‎03-14-2017

Try
| metadata type=sources sourcetype=*

woodcock · ‎03-13-2017

You need another s for starters but you cannot do what you are trying to do with the command that you are trying to use. See what I mean with these:

| metadata type=sources index=* OR index=_*
| metadata type=sourcetypes index=* OR index=_*

But you can do it with tstats like this:

  | tstats values(source) WHERE index=* OR index=_* BY sourcetype

muebel · ‎03-13-2017

Hi kteng2024, You might find tstats would work better here. i.e.

| tstats count where sourcetype=YOUR_SOURCETYPE by source

This will give you a list sources for that sourcetype. It should be fairly quick to run over large timeframes.

Please let me know if this answers your question! 😄

somesoni2 · ‎03-13-2017

If you're collecting data for all sourcetypes then use this variation.

| tstats max(_time) as recentTime where index=* by sourcetype source

How to edit my search to find the sources from soucetype?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms