Monitoring Splunk

Is there an alternative to fieldsummary to show field names for an index?

dkeck
Influencer

Hi,

My search looks like:

 mysearch....[ index=adc| fieldsummary | fields field]

Is there a command to display the fieldnames (field) of an index without using the fieldsummary command? Or an option for fieldsummary to just return field?

fieldsummary is to extensive and takes to much time.

Thank you

1 Solution

chimell
Motivator

Hi
Use this for example , it will do what you want

index=_internal|fields + *|transpose|table column

OR

index=main|fields + *|transpose|rename column as field|table field

View solution in original post

Runals
Motivator

I have a process setup in the Data Curator app that will periodically go through your data and update a lookup that has sourcetypes and field names. This was done pre KV stores which would be a better process /shrug. At any rate the base query is

earliest=-45s index=asc_tech | regex sourcetype!="(-\d+$|-too_small$)" | dedup sourcetype | fields - _raw date_* index linecount punct eventtype time*pos splunk_server timestamp host source tag* _* | foreach * [eval <<FIELD>> = if(isnotnull('<<FIELD>>'), sourcetype, null())] | stats values(*) as * | transpose | rename "row 1" as sourcetype column as field | makemv delim=" " sourcetype | mvexpand sourcetype | where field!="sourcetype"

With the lookup method the data is quick go through and the process to keep it update runs in the background. With that in place I've done thing like compare the fields to what is called out in the CIM etc. For example (link)

dkeck
Influencer

Thank you for your reply. I will try that.

0 Karma

chimell
Motivator

Hi
Use this for example , it will do what you want

index=_internal|fields + *|transpose|table column

OR

index=main|fields + *|transpose|rename column as field|table field

chimell
Motivator

thanks . please dont forget to vote

0 Karma

dkeck
Influencer

Awesome thank you 🙂

0 Karma

jeffland
SplunkTrust
SplunkTrust

This is not faster. It still goes to disk and searches events.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...