Solved: how can i view a list of indexed fields?

tpsplunk · ‎07-06-2011

I've added an index time field extraction which overlaps with a delimiter based search time extraction. i think i've got the settings right, but i can't use the fact that the field is available from the search app as proof that my field was extracted at index time. what tools can i use to verify that my field was indeed added to the index?

a_kearney · ‎01-22-2020

A very old question, but I was wondering the same thing today and just came across the answer in conf talk by Martin Muller (https://conf.splunk.com/files/2019/summit/FN1003.mp4)

The command walklex (https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Walklex) can be used:

| walklex index="<index-name>" type=field
| search NOT field=" *"
| stats list(distinct_values) by field

Hope this is of use to people

View solution in original post

landen99 · ‎10-06-2020

| rest splunk_server=local /servicesNS/nobody/search/configs/conf-fields | fields - TOKENIZER eai:acl.can_* eai:acl.mod* eai:acl.owner eai:acl.perms* eai:acl.remov* eai:acl.sharing* acl:appName id published updated | search disabled=0 | outputlookup fields_idx.csv

a_kearney · ‎01-22-2020

A very old question, but I was wondering the same thing today and just came across the answer in conf talk by Martin Muller (https://conf.splunk.com/files/2019/summit/FN1003.mp4)

The command walklex (https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Walklex) can be used:

| walklex index="<index-name>" type=field
| search NOT field=" *"
| stats list(distinct_values) by field

Hope this is of use to people

marand · ‎06-30-2021

This should be marked as the new solution.

jbsplunk · ‎07-07-2011

I don't think there is any way to view a list of all fields which splunk has indexed within the UI, at least AFAIK. What you can do is to look at the tags inside of the raw data in your hot/warm buckets. The file is called journal.gz. If you unpack it you can read the rawdata and see the indexed fields. Ideally, you should name the fields something slightly different, because as you've seen, this creates a data management headache. Just to reiterate, most of the time index time field extractions are not necessary.

SUNDAY · ‎09-25-2020

It's 2020 now, and is the answer the same now?

inventsekar · ‎09-25-2020

Yes @SUNDAY .. before your answer, Jan 2020 there was an answer as well.

that walklex should be working fine, as per my understanding.

https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Walklex

tpsplunk · ‎07-08-2011

ok, perfect it is showing up there. thanks!

jbsplunk · ‎07-08-2011

where you see sourcetype and punct, those are fields which are indexed, so I would expect to see it in that section. Its probably easier just to rename the field to something else to ensure its showing up as the new name, vs digging through the journal. It isn't my idea of a good time anyway.

tpsplunk · ‎07-08-2011

how can i tell which are indexed fields in the journal.gz? it looks like all my fields show up (which could be the raw data i suppose). would it show up between the sourcetype and the "punct"?

how can i view a list of indexed fields?

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake