Dashboards & Visualizations

How to display fields from two different sources using FieldSummary

mahbs
Path Finder

Hi

I have two different sources, Im trying to display the fields present in both those sources to verify what fields they contains.

This is what I have so far:

index=drv (sourcetype=xxx OR sourcetype=yyy) NOT host="oo" | fieldsummary | eval test="xxx" | eval reference="yyy" | table field test field reference 

I know it's wrong, but that's where I am at the moment. I need to have multiple "fields".
I also would like to know how I can count the number of fields present in both source types

Thanks!

Tags (1)
0 Karma

woodcock
Esteemed Legend

Maybe this:

 index=drv (sourcetype=xxx OR sourcetype=yyy) NOT host="oo"
| multreport
[ | search sorucetype=xxx | fieldsummary | eventstats count AS numFields ]
[ | search sorucetype=yyy | fieldsummary | eventstats count AS numFields ]
0 Karma

ybongart_splunk
Splunk Employee
Splunk Employee

Having now read your comment response to @niketnilay...

Also very nasty SPL but just for fun...this gives you what you described:

index=_internal sourcetype=splunkd 
| fieldsummary 
| fields field 
| rename field AS "splunkd fields" 
| append 
    [ search index=_internal sourcetype=splunkd 
    | fieldsummary 
    | fields field 
    | stats count AS "splunkd fields"] 
| appendcols 
    [ search index=_internal sourcetype=mongod 
    | fieldsummary 
    | fields field 
    | rename field AS "mongod fields" 
    | append 
        [ search index=_internal sourcetype=mongod 
        | fieldsummary 
        | fields field 
        | stats count AS "mongod fields"]]

ybongart_splunk
Splunk Employee
Splunk Employee

These may not be super efficient but if you are just exploring the fields in your sourcetypes they should suffice...

If you want to display only the names of fields which appear in both sourcetypes:

| set intersect [search index=_internal sourcetype=splunkd | fieldsummary 
|  fields field]
    [ search index=_internal sourcetype=mongod | fieldsummary 
|  fields field]

And the number of field names they have in common:

| set intersect [search index=oidemo sourcetype=access_combined | fieldsummary 
|  fields field]
    [ search index=oidemo_notable sourcetype=stash | fieldsummary 
|  fields field]
|  stats count

If you want the combined list of field names across both sourcetypes:

(index=_internal sourcetype=splunkd) OR (index=_internal sourcetype=mongod) | fieldsummary 
| fields field

And their number of unique field names across both sourcetypes:

(index=_internal sourcetype=splunkd) OR (index=_internal sourcetype=mongod) | fieldsummary 
| fields field
| stats count
0 Karma

niketn
Legend

@mahbs, I think for the community to assist you, you would need to provide more details. Can you add which fields from respective source are you interested in. What is the desired output and what is your use case?

Maybe add current output and state what is wrong and what would be correct output.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

mahbs
Path Finder

Hi, I'm interested in all the fields associated to the sourcetype. Want I want is those fields to be displayed in a table format for both sourcetypes as well as a count, for the total number of fields for each sourcetype.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...