Dashboards & Visualizations

DIsplay the source name with the fields

aishwaryabh
New Member

Hi, I have a query where I want to display the field name and source name as well. I am trying to com
|set diff [search index=_internal sourcetype=splunkd
| fieldsummary
| fields field
| rename field AS "splunkd fields"
| append
[ search index=_internal sourcetype=splunkd
| fieldsummary
| fields field
] ]
| append
[ search index=_internal sourcetype=mongod
| fieldsummary
| fields field
| rename field AS "mongod fields"
| append
[ search index=_internal sourcetype=mongod
| fieldsummary
| fields field
]] Any help appreciated.

Tags (1)
0 Karma

aishwaryabh
New Member
index=abc OR index=def earliest=-8d@h latest=now
  | table *
  | stats last(*) as * by sourcetype index
  | eval date_check="yesterday"
  | rename sourcetype as _sourcetype , index as _index, date_check as _date_check
  | foreach * [ eval <<FIELD>> = if(isnotnull('<<FIELD>>'),"<<FIELD>>",null())
  | eval field_names=mvappend(field_names,"<<FIELD>>")]
  | table _* field_names
  | rename _* as *
  | append [search index=abc or index=def earliest=-9d@h latest=-168h@h
  | table *
  | stats last(*) as * by sourcetype index
  | eval date_check="today"
  | rename sourcetype as _sourcetype , index as _index, date_check as _date_check
  | foreach * [ eval <<FIELD>> = if(isnotnull('<<FIELD>>'),"<<FIELD>>",null())
  | eval field_names=mvappend(field_names,"<<FIELD>>")]
  | table _* field_names
  | rename _* as * ]
  | eval index_sourcetype=index."__".sourcetype
  | chart values(field_names) as field_names by index_sourcetype date_check
  | eval tmp=mvappend(today,yesterday)
  | eval diff=abs(mvcount(mvdedup(tmp))-if(isnull(today),0,mvcount(today)))
  | stats values(*) as * count as counts by tmp
  | where counts=1
  | stats values(tmp) as diff_fields max(diff) as diff values(today) as today values(yesterday) as yesterday by index_sourcetype    

I am using the above code and on running it separately with fieldsummary I can see the difference. However on running the who query it doesn't display different fields

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...