Hi,
I am looking to create a search that allows me to get a list of all fields in addition to below:
| tstats count WHERE index=ABC by index, source, sourcetype, _time
| fieldformat "_time"=strftime('_time', "%m/%d/%Y %T")
| sort by _time Desc
How can I add field name in addition to results below in above SPL and get counts? I want to have an alternate version WITHOUT using tsats as well. So need both versions, with and without tstats.
Either I am missing a tiny piece above or brain needs some rest at the moment 🙂 Thanks in-advance
@mbasharat you can try one of my older answers which lists two options that you can try
https://answers.splunk.com/answers/590143/how-to-dynamically-populate-field-names-in-dropdow.html
@mbasharat you can try one of my older answers which lists two options that you can try
https://answers.splunk.com/answers/590143/how-to-dynamically-populate-field-names-in-dropdow.html
are you looking for something like this?
| tstats count WHERE index="_audit" by index, source, sourcetype, _time
| fieldformat "_time"=strftime('_time', "%m/%d/%Y %T")
| sort by _time Desc
| appendcols
[search index="_audit"
| table *]
NOTE - the default _audit index has been considered here so that you can run the code as is
Is there a field name that I can use below so my results include the field names as well and then respective counts?
| tstats count WHERE index=ABC by index, source, sourcetype, fieldname (like * or something that gives me list of fields as well), _time
| fieldformat "_time"=strftime('_time', "%m/%d/%Y %T")
| sort by _time Desc
In your provided query, appendcols are providing results. But I want the field names in the header to be in the column with respective event counts
hi @mbasharat - Can you give some example mock up based on the _audit index if possible?
I am not able to understand your desired output