- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- is there a rest query I can use to identify all lo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I use the query
index=* source=* | dedup source | table index source
this appears to provide me with a list of all indexes and associated sources
I am trying to find all logfiles monitored in my splunk environment and which indexes are storing the information
is the query above good enough, or is there a better way of gathering this information?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
many ways to look at this, one of them is the one you mentioned.
can you be more specific regarding your use case? what exactly are you trying to achieve here?
try those searches:
| rest /services/data/inputs/all
| table title source sourcetype index
| tstats min(_time) as first_time max(_time) as last_time where index=* by index source
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I modified this query slightly:
| tstats latest(_time) as Latest where index!=_internal by host sourcetype index
| eval current=now()
| eval Minimum_Age=round(((current-Latest)/60)/60,2)
| rangemap field=Minimum_Age default=Critical Normal=0-0.5 Elevated=0.5-2 Warning=2-4
| eval stIDX=tostring(index) + " -- " + tostring(sourcetype)
| stats values(stIDX) as "Index -- Sourcetype" list(Latest) as "Latest Event" list(Minimum_Age) as Minimum_Age list(range) as Threshold by host
| convert ctime("Latest Event")
| eventstats avg(Minimum_Age) as average by host
| eval average=round(average,2)
| sort - average
| rename Minimum_Age as "Hours Since Last Communication" average as "Average Time in Hours Since Last Communication"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
many ways to look at this, one of them is the one you mentioned.
can you be more specific regarding your use case? what exactly are you trying to achieve here?
try those searches:
| rest /services/data/inputs/all
| table title source sourcetype index
| tstats min(_time) as first_time max(_time) as last_time where index=* by index source
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I went ahead and modified this as well to clean it up a bit (assuming you don't want internal indexes, or all individual file names):
| rest /services/data/inputs/all
| search index!=_*
| stats values(sourcetype) by index
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
