Hello, I am going through my company's indices and their sourcetypes and I want to create reports for each sourcetype to display all of their fields in a table. However, there are a lot of sourcetypes and fields, obviously, so I am curious if there's a way to change how the table is displayed. Instead of having all of the fields in one column going down, is there a way to split them evenly in n number of columns? I am not seeing anything in the Documentation or in the Answers section on this, and am having no luck googling it.
i.e. Go from this:
x
x
x
x
x
.
.
.
x
To:
x x x x x x x
x x x x x x x
.
.
.
x x x x x x x
Hope this makes sense. Thanks!
Try like this
index=main sourcetype=JobDetails
| fieldsummary
| table field
| dedup field | eval temp=1
| chart count over temp by field | fields - temp
Try like this
index=main sourcetype=JobDetails
| fieldsummary
| table field
| dedup field | eval temp=1
| chart count over temp by field | fields - temp
I apologize, yes it is, I accidentally typed the index wrong. It's displaying the first 10, but then the other 60+ are all under Other. I tried doing different sorts to see if it's just placing the rest after 10 in, but whether I sort + or -, it still shows the same 10 fields.
Hmm...that's not pullin any data.
How about this
index=main sourcetype=JobDetails
| fieldsummary
| table field
| dedup field | eval temp=1
| chart count over temp by field limit=0
limit=0 did it! You, sir. Are a gentleman and a scholar! So, there are roughly 30 sourcetypes. I was going to do this for each one and then add them all to a dashboard. Is there a better way that you would suggest? Not sure if it can print them all out with each show starting with the sourcetype or not.
It would be possible to do all those 30 sourcetypes in one single base search and single fieldsummary command. Since there are only 30 odd sourcetypes, you can use map command to loop through each sourcetype and generate this information. The first part of this would be to get the list of index/sourcetype (like index=main sourcetype=JobDetails in this question), then run map command with above search to collect field summary for each sourcetype.
For example, if all your 30 sourcetypes are in index=main and index=main only contains these 30 sourcetypes (nothing extra), then you could do something like this
| tstats count WHERE index=main by index sourcetype
| table index sourcetype
| rename COMMENT as "Above portion gets index/sourcetype list"
| rename COMMENT as "$fieldname$ in below map command takes corresponding value from above search"
| map search="search index=$index$ sourcetype=$sourcetype$ | fieldsummary
| table field
| dedup field | eval temp=1
| chart count over temp by field limit=0 | fields - temp| eval sourcetype=\"$sourcetype$\" | eval index=\"$index$\" | table index sourcetype *"
That's perfect, thank you so much for your help! This will help me get to know our indices and sourcetypes faster.
@sochsenbein , I have converted @somesoni2 's comment to answer. Please accept to mark this question as answered. Do up vote his comments that helped!
Sorry, forgot to paste the code. Also, the reason why I am asking this, is because I am a new hire Software Engineer, and I do not know our systems. Creating a dashboard with these reports will help me and any future hire learn what data is where.
index=main sourcetype=JobDetails
| fieldsummary
| table field
| dedup field
If your intention is to build repository of existing Splunk instance you should also check out Knowledge Object Explorer app from Splunkbase.
To get all the field names you can use table *
or fieldsumary with transpose
i.e. kind of with reverse the approach followed in following answer (https://answers.splunk.com/answers/590143/how-to-dynamically-populate-field-names-in-dropdow.html
). Run anywhere search created based on Splunk's _internal
index and splunkd
sourcetype:
Option 1
index=_internal sourcetype=splunkd
| head 1
| table *
Option 2
index=_internal sourcetype=splunkd
| fieldsummary
| fields field count
| transpose 0 header_field=field column_name=field
Awesome, I will study up on that, thank you!