Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to display a list of fields for an index?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All,
Is it possble to display a list of fields for an index?
Something like this?
index=java | dedup fields | table fields
thanks,
-Daniel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi daniel333,
Yes, this is possible using stats - take a look at this run everywhere example:
index=_internal | stats values(*) AS * | transpose | table column | rename column AS Fieldnames
This will create a list of all field names within index _internal. Adopted to your search this should do it:
index=java | stats values(*) AS * | transpose | table column | rename column AS Fieldnames
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=m1 sourcetype=m1a
| head 999
| fieldsummary
| where count>0
| table field count distinct_count values
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The search as noted above:
index=java | stats values(*) AS * | transpose | table column | rename column AS Fieldnames
works, but is there a way to calculate the event coverage as well? fieldsummary doesn't seem to show this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Simple ..!
index=java |table *
Then you can filter whatever fields you don't want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try:
index=java | stats dc() as * | transpose
Make sure there are some time restrictions applied.
Alternatively take a look at this: http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Fieldsummary
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Youre looking for |fieldsummary|table field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi daniel333,
Yes, this is possible using stats - take a look at this run everywhere example:
index=_internal | stats values(*) AS * | transpose | table column | rename column AS Fieldnames
This will create a list of all field names within index _internal. Adopted to your search this should do it:
index=java | stats values(*) AS * | transpose | table column | rename column AS Fieldnames
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I feel like I'm missing something simple here. I've copied/pasted the query and it doesn't work.
I've tried the options listed below and come back with 0. Can anyone think of a reason why that might happen?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried the following:
index=<myindex> | stats values(*) AS * | transpose | table column | rename column AS Fieldnames
index=<myindex> |table *
index=<myindex> fieldsummary | table*
every search comes back as 0 Events and Statistics (0)
Like I said I feel like I'm missing something simple.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK. If you put there literally "<myindex>" that obviously won't work.
I'll assume you actually substituted that for the real index name so in case of an internal index that would be
index=_internal
| stats values(*) AS *
| transpose
| table column
| rename column AS fieldnames
So actually there are several possible issues with those searches. Transpose has its limits, tabling all events can be resource-intensive...
Actually the best one of those seems to be the fieldsummary one.
But if you're not gettting any results (and no errors) at all that means there's something more to it. Inspect the job, check its log.
Do you have the permissions to the target index? Aren't you trying to search over a longer period than permitted for your role?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What exactly did you run?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this.
So taking these results, how would I join the index and sourcetype pair for each field name so I would end up with something like this:
someIndex.someSourcetype.someFieldname
index=firewall sourcetype=firewall1
fieldnames: host, source, srcip, dest, etc etc.
firewall.firewall1.srcip
firewall.firewall1.dest
firewall.firewall1.destport
....
index=networkdevices sourcetype=ids1 (sourcetype=ids2...)
networkdevices.ids1.src
networkdevices.ids2.dest
...
networkdevices.router1.src
....
index=someApp sourcetype=someTCPsource
someApp.someTCPsource.src
someApp.someTCPsource.randomField1
....
Or, alternately, could I take the results of this query and run some modification of the search you proposed to dump the fieldname for each index:sourcetype pair?
something like:
| tstats values(field) as Field, count where index=* AND sourcetype=* by index, sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way to display all the fields from a specific index used in all reports? @niketn
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
or use the fieldsummary command in your search:
index=java | fieldsummary | table field
September Community Champions: A Shoutout to Our Contributors!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
