Re: Get extracted fields count per index

harshal_chakran · ‎05-05-2016

Hi,
Trying to get the count of extracted fields per index. I am using the following search for this:

index=*|fieldsummary|stats count
This gives me the entire list of all fields in all index.

Also "stats count by index" doesnt work as fieldsummary doesnt have index value. How can we get the field count per index.

BDein · ‎09-03-2022

How about this one:

index=summary sourcetype=stash source IN (Summary_Error_*) 
| fields + * 
| stats mode(*) AS #* by search_name 
| transpose header_field=search_name column_name=fieldName 
| eval type=if(match(fieldName,"#(_raw|date_.*|eventtype|tag.*|index|sourcetype|host|info_.*|punct|time*.?pos|search_name|search|search_now|splunk_server.*|linecount)"),"internal","custom") 
| stats count(*) AS * BY type 
| transpose column_name=search_name header_field=type 
| rename "row 1" AS fieldCount 
| search search_name!=fieldName

It was used for summary index by might as well be used other ways.

BDein · ‎09-03-2022

Can also be accomplished over time by:

index=summary sourcetype=stash source IN (Summary_Error_*) 
| fields + * 
| bin _time span=1d 
| eval search_name=search_name+"#"+_time
| stats mode(*) AS * by  search_name
| transpose 1000 header_field=search_name column_name=fieldName 
| eval type=if(match(fieldName,"(_raw|_time|date_.*|eventtype|tag.*|index|sourcetype|host|info_.*|punct|time*.?pos|search_name|search|search_now|splunk_server.*|linecount)"),"internal","custom")
| stats count(*) AS * BY type
| transpose 1000  column_name=search_name header_field=type
| rename "row 1" AS fieldCount
| search search_name!=fieldName
| rex field=search_name "(?<search_name>[^#]+)#(?<_time>.*)"
| stats max(*) as * BY _time search_name

somesoni2 · ‎05-16-2016

Give this a try

index=* | chart limit=0 count(*) as * by index | untable index field value | stats count as fieldcount by index

renems · ‎05-16-2016

Hi, you just like to know how many times a field has a value? (for a certain index)
I like simple, so how about this?

index= sourcetype= field_name=* | stats count(field_name)

By adding the wildcard for your field, you only search on events that have a value for your field.
If the load on this index is too heavy, or you like to do this regularly, you could also consider writing the results to a summary index. ( | collect index= sourcetype=)

jplumsdaine22 · ‎05-09-2016

This one has me stumped in terms of how to achieve this with a search. Bear in mind though even if this is possible that the count of extracted fields will vary depending on the app context, the user that you run the search as, and could change constantly depending on the time ranges that you are using.

Is there any chance you could share your use case? There may be another way to achieve what ever it is you are trying to do!

If you're not fussed to do it in a single search then you could run the following search:

 index=* |   stats values(*) as * by index

and then process the results elsewhere (eg excel, shell script, etc)

harshal_chakran · ‎05-15-2016

I am planning to get the extract fields count per index for past 7 days duration and then compare it with the fields count for today.

How to get extracted fields count per index?

other

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk