topic Re: Generate list of all Fields in a Search? in Splunk Search

Generate list of all Fields in a Search?

muebel — Thu, 08 Jul 2010 01:51:10 GMT

I would like to export a list of the fieldnames in any given search. How could I do this?

Re: Generate list of all Fields in a Search?

sideview — Thu, 08 Jul 2010 01:55:45 GMT

This will give you a single row with one column for every field, where the cell values are the distinct counts:

<your search> | stats dc(*) as *

and then tacking the transpose command on the end will flip it around:

<your search> | stats dc(*) as * | transpose

It'll be MUCH faster to run this search in the 'advanced charting' view instead of the default search UI, but once it's run you should be able to use the UI to export it as you would a regular search.

Re: Generate list of all Fields in a Search?

Lowell — Thu, 08 Jul 2010 02:34:09 GMT

I'm not sure about the "advanced charting" speed up thing. Doesn't the very nature of a stats "dc(*)" mean that all fields have to be extracted anyways. It seems like will be an expensive operation no matter what.

Re: Generate list of all Fields in a Search?

Lowell — Thu, 08 Jul 2010 02:38:19 GMT

Just a quick addition to what Nick said.

If you want to also see hidden fields, you can do so with a search like this:

... | rename _* AS aHiddenField__* | stats dc(*) as * | transpose | replace "aHiddenField__*" with "_*" in column

Update: As pointed out in a commend below, that this can be further simplified like so:

... | stats dc(_*) as aHiddenField__* dc(*) as * | transpose | replace "aHiddenField__*" with "_*" in column

Both of these approaches simply rename hidden fields temporarily (they are given a hopefully unique prefix). Afterwards we use a replace to return the fields to their original names.

Re: Generate list of all Fields in a Search?

gkanapathy — Thu, 08 Jul 2010 03:19:30 GMT

Advanced charting will be faster primarily because it doesn't need to keep track of a top for every single field in addition to the main search.

Re: Generate list of all Fields in a Search?

gkanapathy — Thu, 08 Jul 2010 03:23:29 GMT

If you want hidden fields, you can also do ... | stats dc(_*) as xxx_* , dc(*) as * instead, or just ... | stats dc(_*),dc(*)

Re: Generate list of all Fields in a Search?

sideview — Thu, 08 Jul 2010 05:45:49 GMT

Indeed. flashtimeline will dispatch even the simplest reporting command in a way that incurs huge expense. Check out the 'Affecting Search Performance' section of the ui_examples app. The examples and the copy in there will give you a quick tour of the issues.

Re: Generate list of all Fields in a Search?

Lowell — Thu, 08 Jul 2010 20:17:37 GMT

Nick, I can't find that section in the ui_example apps. I downloaded the latest copy of the app (1.1 from Jan 19, 2010) -- from this URL http://www.splunkbase.com/apps/All/4.x/Add-On/app:UI+Examples But I am unable to find the view which contains this information. Is there a newer version somewhere else?

Re: Generate list of all Fields in a Search?

Lowell — Thu, 08 Jul 2010 20:55:39 GMT

I found it. I was looking at the 4.0 examples and had not noticed that a new one for 4.1 was released. Here is the URL for anyone following along: http://www.splunkbase.com/apps/All/4.x/Add-On/app:UI+Examples+for+4.1

Re: Generate list of all Fields in a Search?

jpass — Fri, 15 Feb 2013 16:35:31 GMT

Is there a way to output only the fields identified in transforms.conf?

If not, can you ordered the fields by the percentage of events that contain those fields?

Re: Generate list of all Fields in a Search?

helge — Wed, 28 Jan 2015 01:05:59 GMT

This works in Splunk 6.2.1 only if you add an asterisk after the as, like so:

<your search> | stats dc() as * | transpose

Re: Generate list of all Fields in a Search?

HattrickNZ — Wed, 18 Mar 2015 22:09:47 GMT

this worked for me

... | stats dc(c*) look for fields beginning with c,
... | stats dc(c*) | transpose look for fields beginning with c, transpose just flips it

Now what i want to know is how to insert row number when i flip it using transpose?
found it here
... | stats dc(c*) | transpose | streamstats count as row | fields row *

Re: Generate list of all Fields in a Search?

lguinn2 — Fri, 10 Jun 2016 16:19:19 GMT

Since the original answer in 2010, we now have the fieldsummary command, so you can list the fields from a search:

yoursearchhere | fieldsummary

This command provides a lot more info than just the field names, though. So you might want to do this

yoursearchhere | fieldsummary | fields field

Re: Generate list of all Fields in a Search?

jzapantis — Tue, 02 May 2017 20:34:04 GMT

how to do this without getting _time and _raw?