Getting Data In

how can i view a list of indexed fields?

tpsplunk
Communicator

I've added an index time field extraction which overlaps with a delimiter based search time extraction. i think i've got the settings right, but i can't use the fact that the field is available from the search app as proof that my field was extracted at index time. what tools can i use to verify that my field was indeed added to the index?

Tags (1)
1 Solution

a_kearney
Path Finder

A very old question, but I was wondering the same thing today and just came across the answer in conf talk by Martin Muller (https://conf.splunk.com/files/2019/summit/FN1003.mp4)

The command walklex (https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Walklex) can be used:

| walklex index="<index-name>" type=field
| search NOT field=" *"
| stats list(distinct_values) by field

Hope this is of use to people

View solution in original post

landen99
Motivator

| rest splunk_server=local /servicesNS/nobody/search/configs/conf-fields | fields - TOKENIZER eai:acl.can_* eai:acl.mod* eai:acl.owner eai:acl.perms* eai:acl.remov* eai:acl.sharing* acl:appName id published updated | search disabled=0 | outputlookup fields_idx.csv

0 Karma

a_kearney
Path Finder

A very old question, but I was wondering the same thing today and just came across the answer in conf talk by Martin Muller (https://conf.splunk.com/files/2019/summit/FN1003.mp4)

The command walklex (https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Walklex) can be used:

| walklex index="<index-name>" type=field
| search NOT field=" *"
| stats list(distinct_values) by field

Hope this is of use to people

marand
Explorer

This should be marked as the new solution.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

I don't think there is any way to view a list of all fields which splunk has indexed within the UI, at least AFAIK. What you can do is to look at the tags inside of the raw data in your hot/warm buckets. The file is called journal.gz. If you unpack it you can read the rawdata and see the indexed fields. Ideally, you should name the fields something slightly different, because as you've seen, this creates a data management headache. Just to reiterate, most of the time index time field extractions are not necessary.

SUNDAY
Engager

It's 2020 now, and is the answer the same now? 

0 Karma

inventsekar
Ultra Champion

Yes @SUNDAY .. before your answer, Jan 2020 there was an answer as well. 

that walklex should be working fine, as per my understanding. 

https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Walklex 

tpsplunk
Communicator

ok, perfect it is showing up there. thanks!

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

where you see sourcetype and punct, those are fields which are indexed, so I would expect to see it in that section. Its probably easier just to rename the field to something else to ensure its showing up as the new name, vs digging through the journal. It isn't my idea of a good time anyway.

0 Karma

tpsplunk
Communicator

how can i tell which are indexed fields in the journal.gz? it looks like all my fields show up (which could be the raw data i suppose). would it show up between the sourcetype and the "punct"?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...