Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

log sources

pradeep577
Path Finder
‎06-01-2018 06:24 AM

Hi,

I have been ask to generate report for top log sources which is generating lot of traffic. I need help to generate report as 

< sourcetype>

Can someone from group help me in this. Currently Im using

| metadata type=sources | where
totalCount>0 | table source totalCount

where i get source & total count but Iam looking for < sourcetype> format.

Thanks in advance.

Tags (1)
0 Karma
Reply

pradeep577
Path Finder
‎06-01-2018 06:48 AM

Hi,

Thnk you for quick reply.
I executed this query

| metadata type=sourcetypes index="wineventlog"
| search totalCount>0
| table source totalCount

Output is:

Source: blank(empty)
Total count : numbers

0 Karma
Reply

pradeep577
Path Finder
‎06-01-2018 06:56 AM

Still same please see attached screenshotalt text

It doesnt give me which logs are contributing to high license usage?

Preview file
1 KB
0 Karma
Reply

FrankVl
Ultra Champion
‎06-01-2018 05:53 PM

| metadata type=sourcetypes doesn’t return a source field, only sourcetype and count and some time stamps (run it without the table command to see the full output).

If you want to count just by sourcetype, just change your table command to show the sourcetype field instead of the source field.

If you want to count by sourcetype and source, metadata command is not your friend. Try this in stead:

| tstats count where index = yourindex by source,sourcetype
0 Karma
Reply

FrankVl
Ultra Champion
‎06-01-2018 06:50 AM

If you get the data by sourcetype, you of course also need to table the sourcetype field, not the source field 🙂

0 Karma
Reply

niketn
Legend
‎06-01-2018 06:29 AM

Try the following:

| metadata type=sourcetypes index="<yourIndexName>"
| search totalCount>0
| table sourcetype totalCount
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

FrankVl
Ultra Champion
‎06-01-2018 05:55 PM

Think you’ve caused a bit of confusion by tabling the nonexistent source field 😉

Reply

niketn
Legend
‎06-01-2018 09:50 PM

@FrankVI, thanks for catching that. I have made the correction!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...