Source types available
Your Splunk deployment has hundreds of data sources stretching over days, weeks, months, or years. You need to know which ones are relevant to a certain investigation.
Procedure
- Set the search time range to the time relevant to the investigation, if known.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
| metadata type=sourcetypes | sort - totalCount
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
|
Return source type metadata generated at the time data was written to an index. The metadata command can also be used to see the sources and hosts on your network. You can only use the metadata command if you have the |
|
|
Sort the results with the most common source type appearing first. |
Next steps
The result shows all the source types available to you. The source type you focus on depends on the nature of the investigation. For example, if you're hunting in PowerShell, you probably want to focus on host-based data sources like Microsoft event logs and Microsoft Sysmon. You might later also look at network data sources, but host-based sources are a good start.
Finally, you might be interested in other processes associated with the Creating a timebound picture of network activity use case.