- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to list all sourcetypes for an app on a Dashbo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I want to build a dashboard and list all the sourcetypes for an app (e.g. search or splunk_TA_nix). In the settings (Splunk 6.3), I can find a list of sourcetypes and the related apps.
Can somebody tell me what kind of search is this list based on?
I thought about
| rest services/data/
but there are no sourcetypes.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the following query but I don't think you are going to be able to filter by app:
| metadata type=sourcetypes
| table sourcetype
You can specify the index name and return all the sourcetypes for that particular index, but filtering by app it's a different question. If you name all those sourcetypes within the name with a similar pattern, something like "Foo_MyAppName" then it's very easy to filter by that later on, but otherwise I'm not sure.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the following query but I don't think you are going to be able to filter by app:
| metadata type=sourcetypes
| table sourcetype
You can specify the index name and return all the sourcetypes for that particular index, but filtering by app it's a different question. If you name all those sourcetypes within the name with a similar pattern, something like "Foo_MyAppName" then it's very easy to filter by that later on, but otherwise I'm not sure.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did manage to get to the following URI by capturing the HTTP traffic from the Settings menu you indicated before:
http://localhost:8000/en-GB/splunkd/__raw/services/saved/sourcetypes?output_mode=json&count=1000
After that deducing the following query was simple enough:
| rest /services/saved/sourcetypes
| fields title, "eai:acl.app"
| rename title AS sourcetype, "eai:acl.app" AS app_name
Let me know if that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just what I was looking for, thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please keep in mind that following endpoint returns dozens of fields so you want to take a look at the full output first before filtering out those fields you think you are going to need:
| rest /services/saved/sourcetypes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much. This worked for me.
|rest /services/saved/sourcetypes
|fields title, "eai:acl.app"
|rename title AS sourcetype, "eai:acl.app" AS app_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer, but thats not quite what I am looking for.
It should look like the list "source types" in the settings. There have to be a search in the background of that list,
does anybody know what this search could look like?
Thanks
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
Splunk APM: New Product Features + Community Office Hours Recap!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
