Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search that lists all fields? (and data validation question)

mbasharat
Builder
‎06-20-2019 09:30 AM

Hi,
I am looking to create a search that allows me to get a list of all fields in addition to below:

| tstats count WHERE index=ABC by index, source, sourcetype, _time
| fieldformat "_time"=strftime('_time', "%m/%d/%Y %T")
 | sort by _time Desc

How can I add field name in addition to results below in above SPL and get counts? I want to have an alternate version WITHOUT using tsats as well. So need both versions, with and without tstats.

Either I am missing a tiny piece above or brain needs some rest at the moment 🙂 Thanks in-advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎06-22-2019 11:04 PM

@mbasharat you can try one of my older answers which lists two options that you can try

https://answers.splunk.com/answers/590143/how-to-dynamically-populate-field-names-in-dropdow.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎06-22-2019 11:04 PM

@mbasharat you can try one of my older answers which lists two options that you can try

https://answers.splunk.com/answers/590143/how-to-dynamically-populate-field-names-in-dropdow.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎06-20-2019 10:28 AM

are you looking for something like this?

| tstats count WHERE index="_audit" by index, source, sourcetype, _time
| fieldformat "_time"=strftime('_time', "%m/%d/%Y %T")
| sort by _time Desc 
    | appendcols 
    [search index="_audit"
    | table *]

NOTE - the default _audit index has been considered here so that you can run the code as is

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎06-20-2019 10:50 AM

Is there a field name that I can use below so my results include the field names as well and then respective counts?

| tstats count WHERE index=ABC by index, source, sourcetype, fieldname (like * or something that gives me list of fields as well), _time
| fieldformat "_time"=strftime('_time', "%m/%d/%Y %T")
| sort by _time Desc

In your provided query, appendcols are providing results. But I want the field names in the header to be in the column with respective event counts

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎06-20-2019 11:20 AM

hi @mbasharat - Can you give some example mock up based on the _audit index if possible?
I am not able to understand your desired output

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...