topic Re: Is there an alternative to fieldsummary to show field names for an index? in Monitoring Splunk

Is there an alternative to fieldsummary to show field names for an index?

dkeck — Thu, 18 Feb 2016 09:59:38 GMT

Hi,

My search looks like:

 mysearch....[ index=adc| fieldsummary | fields field]

Is there a command to display the fieldnames (field) of an index without using the fieldsummary command? Or an option for fieldsummary to just return field?

fieldsummary is to extensive and takes to much time.

Thank you

Re: Is there an alternative to fieldsummary to show field names for an index?

chimell — Thu, 18 Feb 2016 10:20:29 GMT

Hi
Use this for example , it will do what you want

index=_internal|fields + *|transpose|table column

index=main|fields + *|transpose|rename column as field|table field

Re: Is there an alternative to fieldsummary to show field names for an index?

jeffland — Thu, 18 Feb 2016 10:25:03 GMT

This is not faster. It still goes to disk and searches events.

Re: Is there an alternative to fieldsummary to show field names for an index?

dkeck — Thu, 18 Feb 2016 10:31:27 GMT

Awesome thank you 🙂

Re: Is there an alternative to fieldsummary to show field names for an index?

chimell — Thu, 18 Feb 2016 10:34:42 GMT

thanks . please dont forget to vote

Re: Is there an alternative to fieldsummary to show field names for an index?

Runals — Thu, 18 Feb 2016 18:18:28 GMT

I have a process setup in the Data Curator app that will periodically go through your data and update a lookup that has sourcetypes and field names. This was done pre KV stores which would be a better process /shrug. At any rate the base query is

earliest=-45s index=asc_tech | regex sourcetype!="(-\d+$|-too_small$)" | dedup sourcetype | fields - _raw date_* index linecount punct eventtype time*pos splunk_server timestamp host source tag* _* | foreach * [eval <<FIELD>> = if(isnotnull('<<FIELD>>'), sourcetype, null())] | stats values(*) as * | transpose | rename "row 1" as sourcetype column as field | makemv delim=" " sourcetype | mvexpand sourcetype | where field!="sourcetype"

With the lookup method the data is quick go through and the process to keep it update runs in the background. With that in place I've done thing like compare the fields to what is called out in the CIM etc. For example (link)

Re: Is there an alternative to fieldsummary to show field names for an index?

dkeck — Fri, 19 Feb 2016 09:25:23 GMT

Thank you for your reply. I will try that.