Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to efficiently list all fields by Sourcetype and field?

tadecleid
New Member
‎09-02-2024 07:06 AM

I found a similar post that did not quite fit the bill of what I am trying to do.

I want to be able to create a link graph that shows a logical flow of all of our data from index>sourcetype>fields.

Issues I am running into:
| fieldsummary does not work with metadata and thus does not include the index or sourcetype.

|tstats search is only able to show index and sourcetype.

I figure there is a base search I need to set up to pull the initial sourcetypes to run fieldsummaries on, but I'm not sure how to string these techniques together or if something like this is even feasible without leaving a very heavy burden on the cluster.

I would like to make this a report that updates a lookup weekly so that the dashboard is referencing the lookup instead of running this search.

Thanks in advance for your time!

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...