As per one of my customer demand they want to understand and know that how much number of event sources are configured, integrated and logging into the SA by which collection type, because as per observation it has been noticed that too many event sources never logged in SA.
So here I have an idea in my mind is to create an meta key which contains all the collection methods, so that we can understand that under which collection method how much event sources are reporting.
Kindly suggest that how I can deploy the same in the environment. Thanks to all.
This is just a report, I'm fairly certain that you don't need to go to the trouble of creating a custom meta key.
just creating a rule that selects device.type then lookup_and_add device.host and dedup it. Aggregate by Event Count and you've got a pretty decent picture of how many events are coming from where across any selected time frame.