Splunk Search

How to display a list of fields for an index?

daniel333
Builder

All,

Is it possble to display a list of fields for an index?

Something like this?
index=java | dedup fields | table fields

thanks,
-Daniel

1 Solution

MuS
Legend

Hi daniel333,

Yes, this is possible using stats - take a look at this run everywhere example:

 index=_internal | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

This will create a list of all field names within index _internal. Adopted to your search this should do it:

index=java | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

Hope this helps ...

cheers, MuS

View solution in original post

landen99
Motivator
index=m1 sourcetype=m1a 
| head 999
| fieldsummary 
| where count>0 
| table field count distinct_count values

 

0 Karma

cgalligan
Explorer

The search as noted above:
index=java | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

works, but is there a way to calculate the event coverage as well? fieldsummary doesn't seem to show this

0 Karma

477450
Explorer

Simple ..!

index=java |table *

Then you can filter whatever fields you don't want.

0 Karma

javiergn
Super Champion

Try:

index=java | stats dc() as * | transpose

Make sure there are some time restrictions applied.

Alternatively take a look at this: http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Fieldsummary

0 Karma

ITSX
Explorer

Youre looking for |fieldsummary|table field

MuS
Legend

Hi daniel333,

Yes, this is possible using stats - take a look at this run everywhere example:

 index=_internal | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

This will create a list of all field names within index _internal. Adopted to your search this should do it:

index=java | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

Hope this helps ...

cheers, MuS

JohnEGones
Communicator

 

Thanks for this.

 

So taking these results, how would I join the index and sourcetype pair for each field name so I would end up with something like this:

someIndex.someSourcetype.someFieldname

index=firewall sourcetype=firewall1 

fieldnames: host, source, srcip, dest, etc etc.

firewall.firewall1.srcip

firewall.firewall1.dest

firewall.firewall1.destport

....



index=networkdevices sourcetype=ids1 (sourcetype=ids2...)

networkdevices.ids1.src

networkdevices.ids2.dest

...

networkdevices.router1.src

....



index=someApp sourcetype=someTCPsource 

someApp.someTCPsource.src

someApp.someTCPsource.randomField1

....

 

Or, alternately, could I take the results of this query and run some modification of the search you proposed to dump the fieldname for  each index:sourcetype pair?

 

something like:

| tstats values(field) as Field, count where index=* AND sourcetype=* by index, sourcetype

 

 

0 Karma

yvassilyeva
Path Finder

Is there a way to display all the fields from a specific index used in all reports? @niketn 

Thank you.

0 Karma

MuS
Legend

or use the fieldsummary command in your search:

 index=java | fieldsummary | table field
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...