All,
Is it possble to display a list of fields for an index?
Something like this?
index=java | dedup fields | table fields
thanks,
-Daniel
Hi daniel333,
Yes, this is possible using stats
- take a look at this run everywhere example:
index=_internal | stats values(*) AS * | transpose | table column | rename column AS Fieldnames
This will create a list of all field names within index _internal
. Adopted to your search this should do it:
index=java | stats values(*) AS * | transpose | table column | rename column AS Fieldnames
Hope this helps ...
cheers, MuS
index=m1 sourcetype=m1a
| head 999
| fieldsummary
| where count>0
| table field count distinct_count values
The search as noted above:
index=java | stats values(*) AS * | transpose | table column | rename column AS Fieldnames
works, but is there a way to calculate the event coverage as well? fieldsummary doesn't seem to show this
Simple ..!
index=java |table *
Then you can filter whatever fields you don't want.
Try:
index=java | stats dc() as * | transpose
Make sure there are some time restrictions applied.
Alternatively take a look at this: http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Fieldsummary
Youre looking for |fieldsummary|table field
Hi daniel333,
Yes, this is possible using stats
- take a look at this run everywhere example:
index=_internal | stats values(*) AS * | transpose | table column | rename column AS Fieldnames
This will create a list of all field names within index _internal
. Adopted to your search this should do it:
index=java | stats values(*) AS * | transpose | table column | rename column AS Fieldnames
Hope this helps ...
cheers, MuS
Thanks for this.
So taking these results, how would I join the index and sourcetype pair for each field name so I would end up with something like this:
someIndex.someSourcetype.someFieldname
index=firewall sourcetype=firewall1
fieldnames: host, source, srcip, dest, etc etc.
firewall.firewall1.srcip
firewall.firewall1.dest
firewall.firewall1.destport
....
index=networkdevices sourcetype=ids1 (sourcetype=ids2...)
networkdevices.ids1.src
networkdevices.ids2.dest
...
networkdevices.router1.src
....
index=someApp sourcetype=someTCPsource
someApp.someTCPsource.src
someApp.someTCPsource.randomField1
....
Or, alternately, could I take the results of this query and run some modification of the search you proposed to dump the fieldname for each index:sourcetype pair?
something like:
| tstats values(field) as Field, count where index=* AND sourcetype=* by index, sourcetype
Is there a way to display all the fields from a specific index used in all reports? @niketn
Thank you.
or use the fieldsummary
command in your search:
index=java | fieldsummary | table field