How do you create a table with each row being a lo...

ixixix_spl · ‎09-12-2018

I was wondering if there is an easy way to create a table that contains every single recognized interesting field instead of doing the usual | table field1, field2... method.

To be clear I want to have each row in the table as a separate instance/log and not a summary of counts. In other words, I would like a substitution for | table but to capture every single interesting field that is recognized. Thanks!

HiroshiSatoh · ‎09-12-2018

I am sorry if I misunderstood the question.
In this search statement you can see the fields used in the log and the number of occurrences.

index=* | stats dc(*) as * | transpose

ixixix_spl · ‎09-13-2018

sorry this doesnt answer my question i am looking for a shortcut that will basically do something like this:

       field1 .    field2 ....  field100 
log A:    stringA .  stringB .  stringC 
logB:     stringD . stringE .   stringF

i know you can do it manually by performing the command | table field1, field2... field100

but typing out every field i want to capture is extremely time consuming so i am wondering if there is a shortcut to do it

How do you create a table with each row being a log and every column being a recognized "Interesting Field"?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation