Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Map fields to sourcetype

DanAlexander
Communicator
‎10-17-2023 05:43 AM

Hi All,

I need help building a SPL that would return all available fields mapped to their sourcetypes/source 

Looking across all Indexers crawling through all indexes index=*

I currently use to strip off all the fields and their extracted fields but I have no idea where they are coming from, what is their sourcetype and source:

index=*

fieldsummary

| search values!="[]"

| rex field=values max_match=0 "\{\"value\":\"(?<extracted_values>[^\"]+)\""

| fields field extracted_values

Thank you!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-17-2023 10:40 AM

Do you mean something like

index=*
| stats values(*) as * by sourcetype
| foreach *
    [eval fields = mvappend(fields, if("<<FIELD>>" != "sourcetype", "<<FIELD>>", null()))]
| stats values(fields) as fields by sourcetype
Tags (2)
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...