topic Re: How can I show the fields which have a specific value? in Splunk Search

How can I show the fields which have a specific value?

ddrillic — Thu, 13 Apr 2017 14:18:33 GMT

I'm running the following - index=<claims_index> geico | table *. This index has around 200 fields and I would like the query to show only the fields which have geico in them. Is it possible?

Re: How can I show the fields which have a specific value?

somesoni2 — Thu, 13 Apr 2017 14:37:12 GMT

Try this workaround.

index=<claims_index> geico | eval temp=_time | fields - _* | eval _time=temp | fields - temp| table _time *
| untable _time fieldname fieldvalue | where match(fieldvalue,"geico") | xyseries _time fieldname fieldvalue

Re: How can I show the fields which have a specific value?

ddrillic — Thu, 13 Apr 2017 15:14:14 GMT

Not sure if I can grasp it ; -)

Formatted a bit -

index=<claims_index> geico 
| eval temp=_time 
| fields - _* 
| eval _time=temp 
| fields - temp
| table _time *
| untable _time fieldname fieldvalue 
| where match(fieldvalue,"geico") 
| xyseries _time fieldname fieldvalue

This claims_index is huge and since we search explicitly for geico, the query is very slow. Is there a way to see intermediate results? It can run for many hours...

Re: How can I show the fields which have a specific value?

somesoni2 — Thu, 13 Apr 2017 15:22:28 GMT

There are some element in the query to clean fields (remove all _ fields but preserve _time), so looks weird.

YOu can reduce the time range and/or add a head command after the base search to process only few rows for testing.

index=<claims_index> geico  | head 1000
 | eval temp=_time 
 | fields - _* 
 | eval _time=temp 
 | fields - temp
 | table _time *
 | untable _time fieldname fieldvalue 
 | where match(fieldvalue,"geico") 
 | xyseries _time fieldname fieldvalue

Re: How can I show the fields which have a specific value?

ddrillic — Thu, 13 Apr 2017 16:15:59 GMT

So, I ran the following -

index=<claims_index>  geico
 | head 50
 | eval temp=_time 
 | fields - _* 
 | eval _time=temp 
 | fields - temp
 | table _time *
 | untable _time fieldname fieldvalue 
 | where match(fieldvalue,"geico") 
 | xyseries _time fieldname fieldvalue

It finished and said - 50 events (before 4/13/17 10:35:24.000 AM) but no results are shown.

Re: How can I show the fields which have a specific value?

somesoni2 — Thu, 13 Apr 2017 16:21:31 GMT

Can you run the query in parts and see which step the data goes away? (run everything before untable and then keep adding rest)

Re: How can I show the fields which have a specific value?

ddrillic — Thu, 13 Apr 2017 17:18:18 GMT

Perfect - I'll do so...

Re: How can I show the fields which have a specific value?

ddrillic — Thu, 13 Apr 2017 19:05:08 GMT

Let me accept it meanwhile ; -) much much appreciated!!!!