Archive

How can I add the index to the fieldsummary as an extra column?

New Member

If I do index=* | fieldsummary I get the fieldsummary of all indices.
How can I add the index to the fieldsummary as an extra column, so that I will have:

index, field, count, distinct_count, ..., values

0 Karma
1 Solution

Revered Legend

Try this (slower performance)

| eventcount summary=f index=* | table index
| map maxsearch=1000 search="search index=$index$ | fieldsummary | eval index=\"$index$\""
| table index * 

OR

| rest /services/data/indexes | table title | dedup title 
| map maxsearch=1000 search="search index=$title$ | fieldsummary | eval index=\"$title$\""
| table index * 

View solution in original post

0 Karma

Revered Legend

Try this (slower performance)

| eventcount summary=f index=* | table index
| map maxsearch=1000 search="search index=$index$ | fieldsummary | eval index=\"$index$\""
| table index * 

OR

| rest /services/data/indexes | table title | dedup title 
| map maxsearch=1000 search="search index=$title$ | fieldsummary | eval index=\"$title$\""
| table index * 

View solution in original post

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!