Hi All,
is it possible to get list of sourcetype by host and index irrespective of time range?
I just want the list of index, host and sourcetype for which events are available, even if there is only one event in last 6 months for any sourcetype/host/index.
The environment is very huge with 130K+ host sending data, the below query only returns the list if any event is there in selected time range,
| tstats values(sourcetype) as sourcetype where index=* by index host | outputlookup host_list.csv
If there any other faster/efficient way to get the results?
Let me know if any other details are required.
↧