Splunk Search

Can a report be created using metadata/any other data to list all the fields that are available by index and sourcetype?

PatelAshish83
Engager

Is there a way to create a report using metadata or any other data to list all the fields that are available by index and sourcetype. 

Example 

PatelAshish83_0-1651776531676.png


Just need to get a index, sourcetype and all available fields under them listed out as report. 

Labels (1)
0 Karma

Roy_9
Motivator

@PatelAshish83 Hello,

Please try the below search:

| tstats values(sourcetype) as sourcetype where index=* OR index=_*  group by index

 

Thanks

0 Karma

PickleRick
SplunkTrust
SplunkTrust

@Roy_9Your search does something completely different. It shows all sourcetypes from all indexes. It doesn't show any other fields.

Roy_9
Motivator

@PickleRick sorry about that, i misread the question.

Can we append fieldsummary to the search?

Tags (1)

PickleRick
SplunkTrust
SplunkTrust

We can 😉

But adding that to tstats won't give us much. We could add it to the original search.

I must say though that I had completely forgotten about the fieldsummary command. It's another possible approach to OP's question but unfortunately it doesn't let us split the results by any criteria (sourcetype for example).

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Extractions do not depend on index so listing them "by index" makes not much sense.

Anyway, the contents of fields.conf can be retreived by rest api /services/search/fields call. But in case of search-time extractions and calculated fields... well, there's no way to say what is "available" in any possible case. You'd have to manually parse all configuration options and decide based on this. And still you wouldn't even touch fields from automatic extractions and so on.

What you could do is list which fields are being extracted from existing events in your given timerange (something similar to what Splunk does when you click "all fields".

For example

<your search>
| stats dc(*) as * by index sourcetype

This will give you information about how many distinct values are there in each field. You could summarize it into a multivalued list by using untable and mvcombine if you want.

Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...