Skip to main content
Splunk Lantern

Source types available

You might want to get a wide look at all the source types available when doing the following:

Prerequisites 

The data needed in this procedure depends on the types of events you are investigating. The data descriptors can help you decide what data is appropriate for your goal.

Example

Your Splunk deployment has hundreds of data sources (sourcetype) stretching over days, weeks, months or years. You need to know which ones are relevant to a certain investigation.

To optimize the search shown below, you should specify an index and a time range. 

  • Set the search time range to the time relevant to the investigation, if known.
  • Run the following search: 
| metadata type=sourcetypes 
| sort - totalCount

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

| metadata type=sourcetypes

Return source type metadata generated at the time data was written to an index.

The metadata command can also be used to see the sources and hosts on your network.

You can only use the metadata command if you have the get_metadata capability added to your role.

| sort - totalCount 

Sort the results with the most common source type appearing first.

Result

The result shows all the source types available to you. The source type you focus on depends on the nature of the investigation. For example, if you're hunting in PowerShell, you probably want to focus on host-based data sources like Microsoft event logs and Microsoft Sysmon. You might later also look at network data sources, but host-based sources are a good start. 

  • Was this article helpful?