Dashboards & Visualizations

Table - compress rows into multiple columns

sochsenbein
Communicator

Hello, I am going through my company's indices and their sourcetypes and I want to create reports for each sourcetype to display all of their fields in a table. However, there are a lot of sourcetypes and fields, obviously, so I am curious if there's a way to change how the table is displayed. Instead of having all of the fields in one column going down, is there a way to split them evenly in n number of columns? I am not seeing anything in the Documentation or in the Answers section on this, and am having no luck googling it.

i.e. Go from this:
x
x
x
x
x
.
.
.
x

To:
x x x x x x x
x x x x x x x
.
.
.
x x x x x x x

Hope this makes sense. Thanks!

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Try like this

index=main sourcetype=JobDetails
| fieldsummary 
| table field 
| dedup field | eval temp=1
| chart count over temp by field | fields - temp

View solution in original post

0 Karma

somesoni2
Revered Legend

Try like this

index=main sourcetype=JobDetails
| fieldsummary 
| table field 
| dedup field | eval temp=1
| chart count over temp by field | fields - temp
0 Karma

sochsenbein
Communicator

I apologize, yes it is, I accidentally typed the index wrong. It's displaying the first 10, but then the other 60+ are all under Other. I tried doing different sorts to see if it's just placing the rest after 10 in, but whether I sort + or -, it still shows the same 10 fields.

0 Karma

sochsenbein
Communicator

Hmm...that's not pullin any data.

0 Karma

somesoni2
Revered Legend

How about this

index=main sourcetype=JobDetails
 | fieldsummary 
 | table field 
 | dedup field | eval temp=1
 | chart count over temp by field limit=0

sochsenbein
Communicator

limit=0 did it! You, sir. Are a gentleman and a scholar! So, there are roughly 30 sourcetypes. I was going to do this for each one and then add them all to a dashboard. Is there a better way that you would suggest? Not sure if it can print them all out with each show starting with the sourcetype or not.

0 Karma

somesoni2
Revered Legend

It would be possible to do all those 30 sourcetypes in one single base search and single fieldsummary command. Since there are only 30 odd sourcetypes, you can use map command to loop through each sourcetype and generate this information. The first part of this would be to get the list of index/sourcetype (like index=main sourcetype=JobDetails in this question), then run map command with above search to collect field summary for each sourcetype.
For example, if all your 30 sourcetypes are in index=main and index=main only contains these 30 sourcetypes (nothing extra), then you could do something like this

| tstats count WHERE index=main by index sourcetype 
| table index sourcetype 
| rename COMMENT as "Above portion gets index/sourcetype list"
| rename COMMENT as "$fieldname$ in below map command takes corresponding value from above search"
| map search="search index=$index$ sourcetype=$sourcetype$ | fieldsummary 
  | table field 
  | dedup field | eval temp=1
  | chart count over temp by field limit=0  | fields - temp| eval sourcetype=\"$sourcetype$\" | eval index=\"$index$\" | table index sourcetype *"
0 Karma

sochsenbein
Communicator

That's perfect, thank you so much for your help! This will help me get to know our indices and sourcetypes faster.

0 Karma

niketnilay
Legend

@sochsenbein , I have converted @somesoni2 's comment to answer. Please accept to mark this question as answered. Do up vote his comments that helped!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

sochsenbein
Communicator

Sorry, forgot to paste the code. Also, the reason why I am asking this, is because I am a new hire Software Engineer, and I do not know our systems. Creating a dashboard with these reports will help me and any future hire learn what data is where.

index=main sourcetype=JobDetails
| fieldsummary
| table field
| dedup field

0 Karma

niketnilay
Legend

If your intention is to build repository of existing Splunk instance you should also check out Knowledge Object Explorer app from Splunkbase.

To get all the field names you can use table * or fieldsumary with transpose i.e. kind of with reverse the approach followed in following answer (https://answers.splunk.com/answers/590143/how-to-dynamically-populate-field-names-in-dropdow.html
). Run anywhere search created based on Splunk's _internal index and splunkd sourcetype:

Option 1

index=_internal sourcetype=splunkd
 |  head 1
 |  table *

Option 2

index=_internal sourcetype=splunkd 
| fieldsummary 
| fields field count 
| transpose 0 header_field=field column_name=field
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

sochsenbein
Communicator

Awesome, I will study up on that, thank you!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...