How do I search for and return extracted fields li...

maverick · ‎04-18-2011

In other words, I want to first search on some events, and then I would like to create a table and include a column in that table containing the list of the extracted Field names.

Has anyone done this already or know what the Fields metadata name is to build this type of field of Fields, if you will?

gkanapathy · ‎04-18-2011

Simple:

... | transpose | fields column

hazekamp · ‎04-18-2011

Much simpler!

hazekamp · ‎04-18-2011

I am not familiar with a way to do this out-of-the box, so here's a search command for this...listfields will return a single column named "field" with each field found in the search as a result row. Example search would be: "* | head 10 | listfields | search field=foo".

## commands.conf
[listfields]
filename = listfields.py
retainsevents = false
streaming = false
supports_multivalues = true

## listfields.py
import os
import re
import sys
import splunk.Intersplunk

if __name__ == '__main__':

    try:

        results = splunk.Intersplunk.readResults(None, None, True)
        fields = []

        if len(results) > 0:
          for k,v in results[0].items():
            field = {}
            field['field'] = k
            fields.append(field)

        results = fields

    except Exception, e:
        results = splunk.Intersplunk.generateErrorResults(str(e))

    splunk.Intersplunk.outputResults(results)

How do I search for and return extracted fields list in a table?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How do I search for and return extracted fields list in a table?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine