Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Create a field whose value is a multi-value list of all field names in each respective event

landen99
Motivator
‎07-07-2014 09:16 AM

I'd like to create a field whose value is a multi-value list of all field names in each respective event. I don't mind if it includes core fields like _time, or not.

example: fieldlist=host, source, sourcetype, _time, index, eventtype, punct, srcip, dst_ip, etc.

Tags (3)
0 Karma
Reply
Highlighted

Re: Create a field whose value is a multi-value list of all field names in each respective event

somesoni2
SplunkTrust
SplunkTrust
‎07-07-2014 01:22 PM

can you share some raw events from your logs?

0 Karma
Reply
Highlighted

Re: Create a field whose value is a multi-value list of all field names in each respective event

martin_mueller
SplunkTrust
SplunkTrust
‎07-07-2014 05:40 PM

This should do it, using _internal to provide sample data:

index=_internal | head 5 | eval fields = "" | foreach * [eval fields = fields . if(isnotnull('<<FIELD>>'), "<<FIELD>>#", "")] | eval fields = rtrim(fields, "#") | makemv delim="#" fields

I've assumed that no field name is containing the # sign - adjust the delimiter if that's not appropriate for your field names. Additionally I've assumed that there's no field called fields.
This won't match fields starting with an underscore such as _time, if you want to include those you can list them after the asterisk.
Requires Splunk 6.

0 Karma
Reply