Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

log sources

pradeep577
Path Finder
‎06-01-2018 06:24 AM

Hi,

I have been ask to generate report for top log sources which is generating lot of traffic. I need help to generate report as 

< sourcetype>

Can someone from group help me in this. Currently Im using

| metadata type=sources | where
totalCount>0 | table source totalCount

where i get source & total count but Iam looking for < sourcetype> format.

Thanks in advance.

Tags (1)
0 Karma
Reply

pradeep577
Path Finder
‎06-01-2018 06:48 AM

Hi,

Thnk you for quick reply.
I executed this query

| metadata type=sourcetypes index="wineventlog"
| search totalCount>0
| table source totalCount

Output is:

Source: blank(empty)
Total count : numbers

0 Karma
Reply

pradeep577
Path Finder
‎06-01-2018 06:56 AM

Still same please see attached screenshotalt text

It doesnt give me which logs are contributing to high license usage?

Preview file
1 KB
0 Karma
Reply

FrankVl
Ultra Champion
‎06-01-2018 05:53 PM

| metadata type=sourcetypes doesn’t return a source field, only sourcetype and count and some time stamps (run it without the table command to see the full output).

If you want to count just by sourcetype, just change your table command to show the sourcetype field instead of the source field.

If you want to count by sourcetype and source, metadata command is not your friend. Try this in stead:

| tstats count where index = yourindex by source,sourcetype
0 Karma
Reply

FrankVl
Ultra Champion
‎06-01-2018 06:50 AM

If you get the data by sourcetype, you of course also need to table the sourcetype field, not the source field 🙂

0 Karma
Reply

niketn
Legend
‎06-01-2018 06:29 AM

Try the following:

| metadata type=sourcetypes index="<yourIndexName>"
| search totalCount>0
| table sourcetype totalCount
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

FrankVl
Ultra Champion
‎06-01-2018 05:55 PM

Think you’ve caused a bit of confusion by tabling the nonexistent source field 😉

Reply

niketn
Legend
‎06-01-2018 09:50 PM

@FrankVI, thanks for catching that. I have made the correction!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...