How do you create a table with each row being a lo...

ixixix_spl · ‎09-12-2018

I was wondering if there is an easy way to create a table that contains every single recognized interesting field instead of doing the usual | table field1, field2... method.

To be clear I want to have each row in the table as a separate instance/log and not a summary of counts. In other words, I would like a substitution for | table but to capture every single interesting field that is recognized. Thanks!

HiroshiSatoh · ‎09-12-2018

I am sorry if I misunderstood the question.
In this search statement you can see the fields used in the log and the number of occurrences.

index=* | stats dc(*) as * | transpose

ixixix_spl · ‎09-13-2018

sorry this doesnt answer my question i am looking for a shortcut that will basically do something like this:

       field1 .    field2 ....  field100 
log A:    stringA .  stringB .  stringC 
logB:     stringD . stringE .   stringF

i know you can do it manually by performing the command | table field1, field2... field100

but typing out every field i want to capture is extremely time consuming so i am wondering if there is a shortcut to do it

How do you create a table with each row being a log and every column being a recognized "Interesting Field"?

October Community Champions: A Shoutout to Our Contributors!

Community Content Calendar, November Edition

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How do you create a table with each row being a log and every column being a recognized "Interesting Field"?

October Community Champions: A Shoutout to Our Contributors!

Community Content Calendar, November Edition

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!