Getting Data In

how can i view a list of indexed fields?

tpsplunk
Communicator

I've added an index time field extraction which overlaps with a delimiter based search time extraction. i think i've got the settings right, but i can't use the fact that the field is available from the search app as proof that my field was extracted at index time. what tools can i use to verify that my field was indeed added to the index?

Tags (1)
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

I don't think there is any way to view a list of all fields which splunk has indexed within the UI, at least AFAIK. What you can do is to look at the tags inside of the raw data in your hot/warm buckets. The file is called journal.gz. If you unpack it you can read the rawdata and see the indexed fields. Ideally, you should name the fields something slightly different, because as you've seen, this creates a data management headache. Just to reiterate, most of the time index time field extractions are not necessary.

View solution in original post

landen99
Motivator

| rest splunk_server=local /servicesNS/nobody/search/configs/conf-fields | fields - TOKENIZER eai:acl.can_* eai:acl.mod* eai:acl.owner eai:acl.perms* eai:acl.remov* eai:acl.sharing* acl:appName id published updated | search disabled=0 | outputlookup fields_idx.csv

0 Karma

a_kearney
Explorer

A very old question, but I was wondering the same thing today and just came across the answer in conf talk by Martin Muller (https://conf.splunk.com/files/2019/summit/FN1003.mp4)

The command walklex (https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Walklex) can be used:

| walklex index="<index-name>" type=field
| search NOT field=" *"
| stats list(distinct_values) by field

Hope this is of use to people

marand
Explorer

This should be marked as the new solution.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

I don't think there is any way to view a list of all fields which splunk has indexed within the UI, at least AFAIK. What you can do is to look at the tags inside of the raw data in your hot/warm buckets. The file is called journal.gz. If you unpack it you can read the rawdata and see the indexed fields. Ideally, you should name the fields something slightly different, because as you've seen, this creates a data management headache. Just to reiterate, most of the time index time field extractions are not necessary.

SUNDAY
Engager

It's 2020 now, and is the answer the same now? 

0 Karma

inventsekar
Super Champion

Yes @SUNDAY .. before your answer, Jan 2020 there was an answer as well. 

that walklex should be working fine, as per my understanding. 

https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Walklex 

>>> Happy Splunking !

tpsplunk
Communicator

ok, perfect it is showing up there. thanks!

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

where you see sourcetype and punct, those are fields which are indexed, so I would expect to see it in that section. Its probably easier just to rename the field to something else to ensure its showing up as the new name, vs digging through the journal. It isn't my idea of a good time anyway.

0 Karma

tpsplunk
Communicator

how can i tell which are indexed fields in the journal.gz? it looks like all my fields show up (which could be the raw data i suppose). would it show up between the sourcetype and the "punct"?

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...