topic Re: How to display a list of fields for an index? in Splunk Search

How to display a list of fields for an index?

daniel333 — Thu, 14 Jan 2016 22:16:08 GMT

All,

Is it possble to display a list of fields for an index?

Something like this?
index=java | dedup fields | table fields

thanks,
-Daniel

Re: How to display a list of fields for an index?

MuS — Thu, 14 Jan 2016 22:25:55 GMT

Hi daniel333,

Yes, this is possible using stats - take a look at this run everywhere example:

 index=_internal | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

This will create a list of all field names within index _internal. Adopted to your search this should do it:

index=java | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

Hope this helps ...

cheers, MuS

Re: How to display a list of fields for an index?

ITSX — Thu, 14 Jan 2016 22:26:37 GMT

Youre looking for |fieldsummary|table field

Re: How to display a list of fields for an index?

javiergn — Thu, 14 Jan 2016 22:26:50 GMT

Try:

index=java | stats dc() as * | transpose

Make sure there are some time restrictions applied.

Alternatively take a look at this: http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Fieldsummary

Re: How to display a list of fields for an index?

MuS — Thu, 14 Jan 2016 22:28:06 GMT

or use the fieldsummary command in your search:

 index=java | fieldsummary | table field

Re: How to display a list of fields for an index?

477450 — Tue, 28 Mar 2017 13:59:41 GMT

Simple ..!

index=java |table *

Then you can filter whatever fields you don't want.

Re: How to display a list of fields for an index?

cgalligan — Tue, 23 Jan 2018 19:56:13 GMT

The search as noted above:
index=java | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

works, but is there a way to calculate the event coverage as well? fieldsummary doesn't seem to show this

Re: How to display a list of fields for an index?

landen99 — Tue, 06 Oct 2020 15:27:25 GMT

index=m1 sourcetype=m1a | head 999 | fieldsummary | where count>0 | table field count distinct_count values

Re: How to display a list of fields for an index?

yvassilyeva — Wed, 08 Sep 2021 13:04:14 GMT

Is there a way to display all the fields from a specific index used in all reports? @niketn

Thank you.

Re: How to display a list of fields for an index?

JohnEGones — Thu, 13 Jul 2023 16:04:44 GMT

Thanks for this.

So taking these results, how would I join the index and sourcetype pair for each field name so I would end up with something like this:

someIndex.someSourcetype.someFieldname index=firewall sourcetype=firewall1 fieldnames: host, source, srcip, dest, etc etc. firewall.firewall1.srcip firewall.firewall1.dest firewall.firewall1.destport .... index=networkdevices sourcetype=ids1 (sourcetype=ids2...) networkdevices.ids1.src networkdevices.ids2.dest ... networkdevices.router1.src .... index=someApp sourcetype=someTCPsource someApp.someTCPsource.src someApp.someTCPsource.randomField1 ....

Or, alternately, could I take the results of this query and run some modification of the search you proposed to dump the fieldname for each index:sourcetype pair?

something like:

| tstats values(field) as Field, count where index=* AND sourcetype=* by index, sourcetype

Re: How to display a list of fields for an index?

splunker-wolf — Wed, 01 Oct 2025 20:27:17 GMT

I feel like I'm missing something simple here. I've copied/pasted the query and it doesn't work.

I've tried the options listed below and come back with 0. Can anyone think of a reason why that might happen?

Re: How to display a list of fields for an index?

PickleRick — Wed, 01 Oct 2025 21:56:04 GMT

What exactly did you run?

Re: How to display a list of fields for an index?

splunker-wolf — Thu, 02 Oct 2025 19:12:22 GMT

I tried the following:

index=<myindex> | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

index=<myindex> |table *

index=<myindex> fieldsummary | table*

every search comes back as 0 Events and Statistics (0)

Like I said I feel like I'm missing something simple.

Re: How to display a list of fields for an index?

PickleRick — Fri, 03 Oct 2025 06:48:18 GMT

OK. If you put there literally "<myindex>" that obviously won't work.

I'll assume you actually substituted that for the real index name so in case of an internal index that would be

index=_internal
| stats values(*) AS *
| transpose
| table column
| rename column AS fieldnames

So actually there are several possible issues with those searches. Transpose has its limits, tabling all events can be resource-intensive...

Actually the best one of those seems to be the fieldsummary one.

But if you're not gettting any results (and no errors) at all that means there's something more to it. Inspect the job, check its log.

Do you have the permissions to the target index? Aren't you trying to search over a longer period than permitted for your role?