Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I find all the possible fields from our raw logs for a particular index, excluding internal fields generated by Splunk?

ZacEsa
Communicator
‎07-13-2016 02:00 AM

Hi all,

I'm trying to create a guide for my colleagues regarding the raw logs on Splunk, but I'm stuck as I'm not sure what which fields are generated by Splunk (e.g. date_hour, date_mday, linecount, etc.) and which are the fields Splunk gets from the logs.

So, as the question states, is it possible for me to get all possible fields from a certain index excluding those fields generated by Splunk?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎07-13-2016 01:00 PM

Hi ZacEsa, here's a good breakdown on the default fields : http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Aboutdefaultfields

For a full list of fields, fieldsummary could be used like:

index=yourIndex | fieldsummary | table field

Please let me know if this answers your question!

View solution in original post

Reply
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎07-13-2016 01:00 PM

Hi ZacEsa, here's a good breakdown on the default fields : http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Aboutdefaultfields

For a full list of fields, fieldsummary could be used like:

index=yourIndex | fieldsummary | table field

Please let me know if this answers your question!

Reply
Solved! Jump to solution

ZacEsa
Communicator
‎07-13-2016 04:47 PM

I believe this still shows the Splunk default fields right? Does the link you gave me contain all the fields that Splunk generate?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-13-2016 05:10 PM

It would but you can use the field names from the link provided and exclude them, may be put in a lookup called splunk_fields.csv and use it like this

index=yourIndex | fieldsummary | table field | search NOT [| inputlookup splunk_fields.csv | table fields]

Where, splunk_fields.csv is

fields
_raw
_time
_indextime,
 _cd
..and so on
0 Karma
Reply
Solved! Jump to solution

ZacEsa
Communicator
‎07-13-2016 05:24 PM

Possible to do this without putting it in a csv? Sorry if this seems like a basic question. Haha.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-13-2016 06:28 PM

You can actually create a macro and put something like this in the macro

search NOT ( field="_raw" OR field=_time OR field=source....)

and use the macro like this

index=yourIndex | fieldsummary | table field | `filtersplunkfields`
0 Karma
Reply
Solved! Jump to solution

ZacEsa
Communicator
‎07-13-2016 06:40 PM

Okay, thanks!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-13-2016 01:08 PM

Very Nice!

Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...