topic Re: get all fields in Splunk Search

get all fields

Shakira1 — Tue, 17 Oct 2023 11:59:05 GMT

I need to get the count of all fields in some index and then calculate how many times in percentage it occurred out of all events.

hope its clear.

thank you!

Re: get all fields

richgalloway — Tue, 17 Oct 2023 13:13:58 GMT

Use the fieldsummary command to get the field info then calculate the percentage from that info. It's not clear which percentage is sought so modify the eventstats and eval commands below as necessary.

index=_internal | fieldsummary ``` Get the total number of fields ``` | eventstats sum(count) as Total,sum(distinct_count) as TotalDistinct ``` Compute the percentages ``` | eval Pct=round(count*100/Total,2), DistPct=round(distinct_count*100/TotalDistinct,2)

Re: get all fields

Shakira1 — Tue, 17 Oct 2023 13:52:52 GMT

I would like to get the percentage of some count field from the total count

for example:

after using fieldsummary I got this: [{"value":"/System/Library/LaunchAgents/com.apple.mdworker.shared.plist","count":61372} under value key

and the total count events is1,039,803, so in a new field I want to get the calculate for how much in percentage the count (61372) is from the total (1,039,803), this result I want to get to all my fields.

Re: get all fields

richgalloway — Tue, 17 Oct 2023 14:25:49 GMT

Is this more like what you envision?

index=_internal | fieldsummary | eventstats sum(count) as Total ``` Get rid of fields we don't need ``` | fields - max mean min stdev is_exact ``` Convert the values array to a multi-value field ``` | eval mv_values=json_array_to_mv(values) ``` Put each value into a separate event ``` | mvexpand mv_values ``` Extract value and its count ``` | rex field=mv_values "value\\\":\\\"(?<value>[^\"]+)\\\",\\\"count\\\":(?<valueCount>\d+)" | eval Pct=round(valueCount*100/Total,2) | table field value valueCount Pct

Re: get all fields

Shakira1 — Wed, 18 Oct 2023 07:31:27 GMT

its looking very good! thank you.

I just dont understand the calculate results.

for example: in valueCount I have 294723 from the total which is 1360007 should be ≈ 21.67% but in Pct field value I have 0.33, Do you know why?

all my results in Pct are not correct.

Re: get all fields

richgalloway — Wed, 18 Oct 2023 15:05:31 GMT

I don't get it, either. When I plug your numbers into the query I get the expected 21.67. Can you share a screenshot just so we're sure we're looking at the right numbers?

Re: get all fields

Shakira1 — Thu, 19 Oct 2023 07:29:29 GMT

sure.

attached the valueCount and Pct.

also the number of events: 1,380,350 events