I am using the below query to get the list of all sourcetypes for a specific app
| rest /services/saved/sourcetypes | fields title, "eai:acl.app" | rename title AS sourcetype, "eai:acl.app" AS app_name | search app_name=vams | search sourcetype!=rest AND sourcetype!=a_test AND sourcetype!=my_test_data | dedup sourcetype
This gives me list of all sources
| metadata type=sources index=* |dedup source
but how can group it by indexes to get source and sourcetype for each index
Try this
| tstats count WHERE [| rest /services/saved/sourcetypes | fields title, "eai:acl.app" | rename title AS sourcetype, "eai:acl.app" AS app_name | search app_name=vams | search sourcetype!=rest AND sourcetype!=a_test AND sourcetype!=my_test_data | dedup sourcetype | table sourcetype] by index sourcetype source