Hi,
I want to generate a new dashboard from the splunk logs .
I want all the fields that are present in the raw data . Not only the one that is generated by the splunk.
I have this criteria:
index=abc ns=xyz app_name=gateway*
I want all the fields that are present for this query in raw data. Can someone guide we how can we get all the fields.
Thanks in advance.
The fields as you say are listed on the left - try adding them to your transformation e.g.
... search
| table *
Assuming they're already extracted, you can add | fieldsummary to your search.
Hi ITWhisperer,
Sample logs
2020-09-10T02:23:14.927038622Z app_name=abc ns=xyz pod_container=init-vault pod_name=abc-deployment-74-tlzxv message=secrets file already exists; exiting ...
2020-09-10T03:52:26.646777037Z app_name=abc ns=xyz pod_container=init-vault pod_name=babc-deployment-17-rpn2h message=secrets file already exists; exiting ...
host = lgpecpe.gso.bc.commessage = secrets file already existssource = /var/log/agent/tmp/containers.logsourcetype = container-log
kv does a reasonable job as a starting point
...
| kv
_raw | _time | app_name | message | ns | pod_container | pod_name |
2020-09-10T02:23:14.927038622Z app_name=abc ns=xyz pod_container=init-vault pod_name=abc-deployment-74-tlzxv message=secrets file already exists; exiting ... | 2020-09-10 08:11:33 | abc | secrets file already exists | xyz | init-vault | abc-deployment-74-tlzxv |
2020-09-10T03:52:26.646777037Z app_name=abc ns=xyz pod_container=init-vault pod_name=babc-deployment-17-rpn2h message=secrets file already exists; exiting ... | 2020-09-10 08:18:52 | abc | secrets file already exists | xyz | init-vault | babc-deployment-17-rpn2h |
Hi ITwhisperer,
I want to see the fields which are not available in logs.
There are some fields which are coming at the left as as selected fields and Interesting Fields
when we check logs.
I want to see all other fields that are present for particular index ,ns and app.
so that I can add them in logs and create Dashboards.
The fields as you say are listed on the left - try adding them to your transformation e.g.
... search
| table *
It depends on what your logs look like. Can you provide a sample? Otherwise, it is difficult to advise what will work for you.