Getting Data In

how can i view a list of indexed fields?

tpsplunk
Communicator

I've added an index time field extraction which overlaps with a delimiter based search time extraction. i think i've got the settings right, but i can't use the fact that the field is available from the search app as proof that my field was extracted at index time. what tools can i use to verify that my field was indeed added to the index?

Tags (1)
1 Solution

a_kearney
Path Finder

A very old question, but I was wondering the same thing today and just came across the answer in conf talk by Martin Muller (https://conf.splunk.com/files/2019/summit/FN1003.mp4)

The command walklex (https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Walklex) can be used:

| walklex index="<index-name>" type=field
| search NOT field=" *"
| stats list(distinct_values) by field

Hope this is of use to people

View solution in original post

landen99
Motivator

| rest splunk_server=local /servicesNS/nobody/search/configs/conf-fields | fields - TOKENIZER eai:acl.can_* eai:acl.mod* eai:acl.owner eai:acl.perms* eai:acl.remov* eai:acl.sharing* acl:appName id published updated | search disabled=0 | outputlookup fields_idx.csv

0 Karma

a_kearney
Path Finder

A very old question, but I was wondering the same thing today and just came across the answer in conf talk by Martin Muller (https://conf.splunk.com/files/2019/summit/FN1003.mp4)

The command walklex (https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Walklex) can be used:

| walklex index="<index-name>" type=field
| search NOT field=" *"
| stats list(distinct_values) by field

Hope this is of use to people

marand
Explorer

This should be marked as the new solution.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

I don't think there is any way to view a list of all fields which splunk has indexed within the UI, at least AFAIK. What you can do is to look at the tags inside of the raw data in your hot/warm buckets. The file is called journal.gz. If you unpack it you can read the rawdata and see the indexed fields. Ideally, you should name the fields something slightly different, because as you've seen, this creates a data management headache. Just to reiterate, most of the time index time field extractions are not necessary.

SUNDAY
Engager

It's 2020 now, and is the answer the same now? 

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Yes @SUNDAY .. before your answer, Jan 2020 there was an answer as well. 

that walklex should be working fine, as per my understanding. 

https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Walklex 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

tpsplunk
Communicator

ok, perfect it is showing up there. thanks!

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

where you see sourcetype and punct, those are fields which are indexed, so I would expect to see it in that section. Its probably easier just to rename the field to something else to ensure its showing up as the new name, vs digging through the journal. It isn't my idea of a good time anyway.

0 Karma

tpsplunk
Communicator

how can i tell which are indexed fields in the journal.gz? it looks like all my fields show up (which could be the raw data i suppose). would it show up between the sourcetype and the "punct"?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...