Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search that lists all fields? (and data validation question)

mbasharat
Contributor
‎06-20-2019 09:30 AM

Hi,
I am looking to create a search that allows me to get a list of all fields in addition to below:

| tstats count WHERE index=ABC by index, source, sourcetype, _time
| fieldformat "_time"=strftime('_time', "%m/%d/%Y %T")
 | sort by _time Desc

How can I add field name in addition to results below in above SPL and get counts? I want to have an alternate version WITHOUT using tsats as well. So need both versions, with and without tstats.

Either I am missing a tiny piece above or brain needs some rest at the moment 🙂 Thanks in-advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎06-22-2019 11:04 PM

@mbasharat you can try one of my older answers which lists two options that you can try

https://answers.splunk.com/answers/590143/how-to-dynamically-populate-field-names-in-dropdow.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎06-22-2019 11:04 PM

@mbasharat you can try one of my older answers which lists two options that you can try

https://answers.splunk.com/answers/590143/how-to-dynamically-populate-field-names-in-dropdow.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎06-20-2019 10:28 AM

are you looking for something like this?

| tstats count WHERE index="_audit" by index, source, sourcetype, _time
| fieldformat "_time"=strftime('_time', "%m/%d/%Y %T")
| sort by _time Desc 
    | appendcols 
    [search index="_audit"
    | table *]

NOTE - the default _audit index has been considered here so that you can run the code as is

0 Karma
Reply
Solved! Jump to solution

mbasharat
Contributor
‎06-20-2019 10:50 AM

Is there a field name that I can use below so my results include the field names as well and then respective counts?

| tstats count WHERE index=ABC by index, source, sourcetype, fieldname (like * or something that gives me list of fields as well), _time
| fieldformat "_time"=strftime('_time', "%m/%d/%Y %T")
| sort by _time Desc

In your provided query, appendcols are providing results. But I want the field names in the header to be in the column with respective event counts

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎06-20-2019 11:20 AM

hi @mbasharat - Can you give some example mock up based on the _audit index if possible?
I am not able to understand your desired output

0 Karma
Reply
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...