I can use a rest search from the `services/data/indexes`endpoint to calculate storage statistics, like the index size in GB, of each index. I would like to combine these storage statistics to a table that has the index, sourcetype, and host. Currently, I'm using this tstats search:
`| tstats count where index=* by index sourcetype, host | stats list(host) as Hosts by index sourcetype| rename index as "Index", sourcetype as "Sourcetype(s)"`
I don't believe that `|rest` and `|tstats` can be used together. Is there a way I can do this only using `|tstats`? Possibly by using license usage?
Any help is appreciated.
↧