https://community.splunk.com/t5/Splunk-Search/How-to-get-extracted-fields-count-per-index/m-p/611841#M212713 <P>Can also be accomplished over time by:</P><LI-CODE lang="c">index=summary sourcetype=stash source IN (Summary_Error_*) | fields + * | bin _time span=1d | eval search_name=search_name+"#"+_time | stats mode(*) AS * by search_name | transpose 1000 header_field=search_name column_name=fieldName | eval type=if(match(fieldName,"(_raw|_time|date_.*|eventtype|tag.*|index|sourcetype|host|info_.*|punct|time*.?pos|search_name|search|search_now|splunk_server.*|linecount)"),"internal","custom") | stats count(*) AS * BY type | transpose 1000 column_name=search_name header_field=type | rename "row 1" AS fieldCount | search search_name!=fieldName | rex field=search_name "(?&lt;search_name&gt;[^#]+)#(?&lt;_time&gt;.*)" | stats max(*) as * BY _time search_name</LI-CODE> Sat, 03 Sep 2022 20:28:42 GMT BDein 2022-09-03T20:28:42Z https://community.splunk.com/t5/Splunk-Search/How-to-get-extracted-fields-count-per-index/m-p/240118#M71365 <P>Hi,<BR />Trying to get the count of extracted fields per index. I am using the following search for this:</P> <BLOCKQUOTE> <P>index=*|fieldsummary|stats count<BR />This gives me the entire list of all fields in all index.</P> </BLOCKQUOTE> <P>Also "stats count by index" doesnt work as fieldsummary doesnt have index value. How can we get the field count per index.</P> Sun, 04 Sep 2022 21:29:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-extracted-fields-count-per-index/m-p/240118#M71365 harshal_chakran 2022-09-04T21:29:10Z https://community.splunk.com/t5/Splunk-Search/How-to-get-extracted-fields-count-per-index/m-p/240119#M71366 <P>This one has me stumped in terms of how to achieve this with a search. Bear in mind though even if this is possible that the count of extracted fields will vary depending on the app context, the user that you run the search as, and could change constantly depending on the time ranges that you are using. </P> <P>Is there any chance you could share your use case? There may be another way to achieve what ever it is you are trying to do!</P> <P>If you're not fussed to do it in a single search then you could run the following search:</P> <PRE><CODE> index=* | stats values(*) as * by index </CODE></PRE> <P>and then process the results elsewhere (eg excel, shell script, etc)</P> Mon, 09 May 2016 13:36:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-extracted-fields-count-per-index/m-p/240119#M71366 jplumsdaine22 2016-05-09T13:36:19Z https://community.splunk.com/t5/Splunk-Search/How-to-get-extracted-fields-count-per-index/m-p/240120#M71367 <P>I am planning to get the extract fields count per index for past 7 days duration and then compare it with the fields count for today.</P> Mon, 16 May 2016 06:28:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-extracted-fields-count-per-index/m-p/240120#M71367 harshal_chakran 2016-05-16T06:28:56Z https://community.splunk.com/t5/Splunk-Search/How-to-get-extracted-fields-count-per-index/m-p/240121#M71368 <P>Hi, you just like to know how many times a field has a value? (for a certain index)<BR /> I like simple, so how about this?</P> <P>index= sourcetype= field_name=* | stats count(field_name)</P> <P>By adding the wildcard for your field, you only search on events that have a value for your field.<BR /> If the load on this index is too heavy, or you like to do this regularly, you could also consider writing the results to a summary index. ( | collect index= sourcetype=)</P> Tue, 29 Sep 2020 09:41:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-extracted-fields-count-per-index/m-p/240121#M71368 renems 2020-09-29T09:41:58Z https://community.splunk.com/t5/Splunk-Search/How-to-get-extracted-fields-count-per-index/m-p/240122#M71369 <P>Give this a try</P> <PRE><CODE>index=* | chart limit=0 count(*) as * by index | untable index field value | stats count as fieldcount by index </CODE></PRE> Mon, 16 May 2016 16:24:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-extracted-fields-count-per-index/m-p/240122#M71369 somesoni2 2016-05-16T16:24:14Z https://community.splunk.com/t5/Splunk-Search/How-to-get-extracted-fields-count-per-index/m-p/611838#M212711 <P>How about this one:</P><LI-CODE lang="markup">index=summary sourcetype=stash source IN (Summary_Error_*) | fields + * | stats mode(*) AS #* by search_name | transpose header_field=search_name column_name=fieldName | eval type=if(match(fieldName,"#(_raw|date_.*|eventtype|tag.*|index|sourcetype|host|info_.*|punct|time*.?pos|search_name|search|search_now|splunk_server.*|linecount)"),"internal","custom") | stats count(*) AS * BY type | transpose column_name=search_name header_field=type | rename "row 1" AS fieldCount | search search_name!=fieldName</LI-CODE><P>It was used for summary index by might as well be used other ways.</P><P>&nbsp;</P> Sat, 03 Sep 2022 19:25:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-extracted-fields-count-per-index/m-p/611838#M212711 BDein 2022-09-03T19:25:12Z https://community.splunk.com/t5/Splunk-Search/How-to-get-extracted-fields-count-per-index/m-p/611841#M212713 <P>Can also be accomplished over time by:</P><LI-CODE lang="c">index=summary sourcetype=stash source IN (Summary_Error_*) | fields + * | bin _time span=1d | eval search_name=search_name+"#"+_time | stats mode(*) AS * by search_name | transpose 1000 header_field=search_name column_name=fieldName | eval type=if(match(fieldName,"(_raw|_time|date_.*|eventtype|tag.*|index|sourcetype|host|info_.*|punct|time*.?pos|search_name|search|search_now|splunk_server.*|linecount)"),"internal","custom") | stats count(*) AS * BY type | transpose 1000 column_name=search_name header_field=type | rename "row 1" AS fieldCount | search search_name!=fieldName | rex field=search_name "(?&lt;search_name&gt;[^#]+)#(?&lt;_time&gt;.*)" | stats max(*) as * BY _time search_name</LI-CODE> Sat, 03 Sep 2022 20:28:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-extracted-fields-count-per-index/m-p/611841#M212713 BDein 2022-09-03T20:28:42Z