Sourcetype missing in Datamodels

datamodels
AzJimbo
You already voted!

| tstats count WHERE index=* NOT index IN(sum_*, *summary, cim_*, es_*,splunkd* splunk_*) by sourcetype 
| fields - count 
| append 
[| datamodel 
| rex field=_raw "\"modelName\"\s*\:\s*\"(?<modelName>[^\"]+)\""
| fields modelName
| table modelName
| map maxsearches=40 search="tstats summariesonly=true count from datamodel=$modelName$ by sourcetype |eval modelName=\"$modelName$\""
]
| fillnull value="placeholder" modelName
| table modelName sourcetype count 
| fillnull value="nullfillerForNextCommand" count
| xyseries sourcetype modelName count
| addtotals
| fillnull value="not_in_DModel" Total
| table sourcetype Total *
| fields - "placeholder"

Splunk Query Repository

Sourcetype missing in Datamodels

Leave A Comment? Click here to cancel reply.

Splunk Query Repository

Sourcetype missing in Datamodels

Related Queries

Data model Acceleration Details

Splunk CIM Assist

Listing Data models

Leave A Comment? Click here to cancel reply.