Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Sourcetype missing in Datamodels

datamodels

Description

Submitted by AzJimbo

0 0 
| tstats count WHERE index=* NOT index IN(sum_*, *summary, cim_*, es_*,splunkd* splunk_*) by sourcetype 
| fields - count 
| append 
[| datamodel 
| rex field=_raw "\"modelName\"\s*\:\s*\"(?<modelName>[^\"]+)\""
| fields modelName
| table modelName
| map maxsearches=40 search="tstats summariesonly=true count from datamodel=$modelName$ by sourcetype |eval modelName=\"$modelName$\""
]
| fillnull value="placeholder" modelName
| table modelName sourcetype count 
| fillnull value="nullfillerForNextCommand" count
| xyseries sourcetype modelName count
| addtotals
| fillnull value="not_in_DModel" Total
| table sourcetype Total *
| fields - "placeholder"

Comments

0 total

Be the first to comment on this SPL.

Leave a comment

You must log in to post a comment.

Ad slot: bottom