Solved: How can I add the index to the fieldsummary as an ...

datitran · ‎01-25-2018

If I do index=* | fieldsummary I get the fieldsummary of all indices.
How can I add the index to the fieldsummary as an extra column, so that I will have:

index, field, count, distinct_count, ..., values

somesoni2 · ‎01-25-2018

Try this (slower performance)

| eventcount summary=f index=* | table index
| map maxsearch=1000 search="search index=$index$ | fieldsummary | eval index=\"$index$\""
| table index *

OR

| rest /services/data/indexes | table title | dedup title 
| map maxsearch=1000 search="search index=$title$ | fieldsummary | eval index=\"$title$\""
| table index *

View solution in original post

somesoni2 · ‎01-25-2018

Try this (slower performance)

| eventcount summary=f index=* | table index
| map maxsearch=1000 search="search index=$index$ | fieldsummary | eval index=\"$index$\""
| table index *

OR

| rest /services/data/indexes | table title | dedup title 
| map maxsearch=1000 search="search index=$title$ | fieldsummary | eval index=\"$title$\""
| table index *

How can I add the index to the fieldsummary as an extra column?

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off