Monitoring Splunk

Is there an alternative to fieldsummary to show field names for an index?

dkeck
Influencer

Hi,

My search looks like:

 mysearch....[ index=adc| fieldsummary | fields field]

Is there a command to display the fieldnames (field) of an index without using the fieldsummary command? Or an option for fieldsummary to just return field?

fieldsummary is to extensive and takes to much time.

Thank you

1 Solution

chimell
Motivator

Hi
Use this for example , it will do what you want

index=_internal|fields + *|transpose|table column

OR

index=main|fields + *|transpose|rename column as field|table field

View solution in original post

Runals
Motivator

I have a process setup in the Data Curator app that will periodically go through your data and update a lookup that has sourcetypes and field names. This was done pre KV stores which would be a better process /shrug. At any rate the base query is

earliest=-45s index=asc_tech | regex sourcetype!="(-\d+$|-too_small$)" | dedup sourcetype | fields - _raw date_* index linecount punct eventtype time*pos splunk_server timestamp host source tag* _* | foreach * [eval <<FIELD>> = if(isnotnull('<<FIELD>>'), sourcetype, null())] | stats values(*) as * | transpose | rename "row 1" as sourcetype column as field | makemv delim=" " sourcetype | mvexpand sourcetype | where field!="sourcetype"

With the lookup method the data is quick go through and the process to keep it update runs in the background. With that in place I've done thing like compare the fields to what is called out in the CIM etc. For example (link)

dkeck
Influencer

Thank you for your reply. I will try that.

0 Karma

chimell
Motivator

Hi
Use this for example , it will do what you want

index=_internal|fields + *|transpose|table column

OR

index=main|fields + *|transpose|rename column as field|table field

chimell
Motivator

thanks . please dont forget to vote

0 Karma

dkeck
Influencer

Awesome thank you 🙂

0 Karma

jeffland
SplunkTrust
SplunkTrust

This is not faster. It still goes to disk and searches events.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...