After browsing through Splunk Answers, the closest I could get is the following SPL to list all Indexes and Sourcetypes in a single table -
| eventcount summarize=false index=* index!=_* | dedup index | fields index
| map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index SourceType TotalEvents FirstEvent LastEvent
I want to provide the users with the ability to filter by indexes and sourcetypes. Here is what I have so far -
I am unable to achieve 2 things here -
1. When I filter indexes, I want the respective sourcetypes to be filtered in the sourctypes dropdown
2. Display the table with selected indexes and sourcetypes only (should be able to select multiple in both case)
The query seems to be slow, but it gives the expected output.
Any advice? Thanks!
↧