Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Recover all fields in a Splunk environment

SplunkExplorer
Contributor
‎08-05-2024 02:45 AM

Hi Splunkers, I have the following tasks: I need to compare 2 different Splunk instances, that should be deployed in the same way, but should be not. So I have some sub tasks, to perform this checks.

One of them is this: in the first instances, some fields deployed by previous Splunk admin should be present (as you can imagine, if I'm here to ask for this, no documentation has been produced). Those field should have been replicated also on the second one, migrating some apps and addon on, but some of them could be in a missing state.

So, the idea is: avoiding the most obvious way, whic is GUI-> Settings -> Field, is there another way to ask to Splunk: "hey, could list me all field that are inside you"'? The idea is a search, or recover them from command line, to obtain 2 file and compare them, for example 2 different txt/csv files.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-05-2024 05:00 AM

There are two different approaches to this.

One is to compare the result of searches. But this is limited to a given set of constraints (source, sourcetype, host) and since props and transforms can be defined based on each of those parameters, tracking them down to the real difference in config can be tricky (and doing a summarized field count over - for example - sourcetype might not show you difference in sources).

Another is to run btool and compare effective configs.

splunk btool props list --debug
splunk btool transforms list --debug
splunk btool fields list --debug

and so on

Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-07-2024 07:38 AM

I propose the last option. But in 1st phase it could be easier to find differences without --debug option (this shows where those are defined). After you know those differences then look where those are defined.

0 Karma
Reply

splunkreal
Influencer
‎08-05-2024 03:16 AM

Hi @SplunkExplorer you can try this :

<yoursearch> | stats dc(*) as *
* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...