Is there an easy way of showing list of all used datamodels and with which are coming in (index, sourcetype)?
So far I can do a search on each datamodel and get the indexes, but this means I have to do this separately on every datamodel.
Starting from @jaime_ramirez solution I have added a portion of SPL to check whether or not your sourcetypes are going into which datamodels:
| datamodel
| rex field=_raw "\"modelName\"\s*\:\s*\"(?<modelName>[^\"]+)\""
| search NOT modelName IN (Splunk_CIM_Validation)
| fields modelName
| table modelName
| map maxsearches=40 search="tstats summariesonly=true count from datamodel=$modelName$ by sourcetype | eval modelName=\"$modelName$\""
| append [| search index=_internal source=*license_usage.log type="Usage" pool="herePutYourLicensePool"
| eval sourcetype = st
| stats count by sourcetype
| eval modelName="removeit", count=0
| fields sourcetype modelName count]
| xyseries sourcetype modelName count | fillnull value="N"
| fields - removeit
I found this way to be somewhat effective
| datamodel
| rex field=_raw "\"modelName\"\s*\:\s*\"(?<modelName>[^\"]+)\""
| fields modelName
| table modelName
| map maxsearches=40 search="tstats `summariesonly` count from datamodel=$modelName$ by sourcetype,index | eval modelName=\"$modelName$\""
Outstanding, Jaime. Thanks for sharing. Without any modification to your search, I was able to copy/paste and find the answer.
Worked for me thanks.
here is a way on how to do it, but you need to add all the datamodels manually:
| tstats `summariesonly` count from datamodel=datamodel1 by sourcetype,index
| eval DM="Datamodel1"
| append
[| tstats `summariesonly` count from datamodel=datamodel2 by sourcetype,index
| eval DM="datamodel2"]
| append
[| tstats `summariesonly` count from datamodel=datamodel3 by sourcetype,index
| eval DM="datamodel3"]