Splunk Search

How to display a list of fields for an index?

daniel333
Builder

All,

Is it possble to display a list of fields for an index?

Something like this?
index=java | dedup fields | table fields

thanks,
-Daniel

1 Solution

MuS
SplunkTrust
SplunkTrust

Hi daniel333,

Yes, this is possible using stats - take a look at this run everywhere example:

 index=_internal | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

This will create a list of all field names within index _internal. Adopted to your search this should do it:

index=java | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

Hope this helps ...

cheers, MuS

View solution in original post

landen99
Motivator
index=m1 sourcetype=m1a 
| head 999
| fieldsummary 
| where count>0 
| table field count distinct_count values

 

0 Karma

cgalligan
Explorer

The search as noted above:
index=java | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

works, but is there a way to calculate the event coverage as well? fieldsummary doesn't seem to show this

0 Karma

477450
Explorer

Simple ..!

index=java |table *

Then you can filter whatever fields you don't want.

0 Karma

javiergn
SplunkTrust
SplunkTrust

Try:

index=java | stats dc() as * | transpose

Make sure there are some time restrictions applied.

Alternatively take a look at this: http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Fieldsummary

0 Karma

ITSX
Explorer

Youre looking for |fieldsummary|table field

MuS
SplunkTrust
SplunkTrust

Hi daniel333,

Yes, this is possible using stats - take a look at this run everywhere example:

 index=_internal | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

This will create a list of all field names within index _internal. Adopted to your search this should do it:

index=java | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

Hope this helps ...

cheers, MuS

JohnEGones
Path Finder

 

Thanks for this.

 

So taking these results, how would I join the index and sourcetype pair for each field name so I would end up with something like this:

someIndex.someSourcetype.someFieldname

index=firewall sourcetype=firewall1 

fieldnames: host, source, srcip, dest, etc etc.

firewall.firewall1.srcip

firewall.firewall1.dest

firewall.firewall1.destport

....



index=networkdevices sourcetype=ids1 (sourcetype=ids2...)

networkdevices.ids1.src

networkdevices.ids2.dest

...

networkdevices.router1.src

....



index=someApp sourcetype=someTCPsource 

someApp.someTCPsource.src

someApp.someTCPsource.randomField1

....

 

Or, alternately, could I take the results of this query and run some modification of the search you proposed to dump the fieldname for  each index:sourcetype pair?

 

something like:

| tstats values(field) as Field, count where index=* AND sourcetype=* by index, sourcetype

 

 

0 Karma

yvassilyeva
Path Finder

Is there a way to display all the fields from a specific index used in all reports? @niketn 

Thank you.

0 Karma

MuS
SplunkTrust
SplunkTrust

or use the fieldsummary command in your search:

 index=java | fieldsummary | table field
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...