Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to document what is present in the index

texascj
Path Finder
‎09-09-2024 05:50 AM

My apologies for such a noob question.  I literally got dropped into a Splunk environment and I know little to nothing about it.

I have an index (foo as an example) and I'm told it's based on Oracle audit logs.  However, the index was built for us by the Admin and all I get is blank looks when I asked what exactly is IN the index. 

So my question is...how can I interrogate the index to find out what is in it?

I ran across these commands :

| metadata type=sourcetypes index="foo"

| metadata type=hosts index="foo"

This is a start, so now I have some sourcetype "keywords" (is that right?) and I can see some hosts.  But I suspect that's just the tip of the iceberg as it were given the index itself is pretty darn big.

I'm an Oracle guy and if I wanted to get familiar w/ an Oracle structure I would start w/ looking at the table structures, note the fields in all the tables, get a diagram if one was available.  I don't have that option here.  I don't have the rights to "manage" the index or even create my own.

So I have an index and no real clue as to what is in it...

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2024 07:30 AM

I agree with @sjringo but offer this faster query to find the information

| tstats count where index=foo by sourcetype

Splunk doesn't store data in tables so there's no equivalent to a SQL table dump.  You can use the fieldsummary command to see what fields are in the index along with their values.

index = foo | fieldsummary
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

sjringo
Contributor
‎09-09-2024 06:53 AM

I would say the first thing to look at is what are the different soucetype's in the index ?

index=foo | stats count by sourcetype

Then that will give you some kind of idea of what is being ingested for the index you have ?

Then if the sourcetype is named that it indicated the sourcetype's log's you can then look at the sources ?

index=foo | stats count by sourcetype,source 

This would give you an idea of what is in the index ?

0 Karma
Reply
Solved! Jump to solution

texascj
Path Finder
‎09-09-2024 07:34 AM

TY 4 that...when I run that first command it returns just north of 2.5 million events and 17 statistics.  So I see bandwidth, cpu, df, df_metric, exec, interfaces, iostat, lsof, netstat, openPorts, package, protocol, ps, top, uptime, vmstat, and who.

For all of these, the sourcetype = source with one exception.  Exec is broken out to 3 .sh files in a splunkforwarder folder structure.

I do not know if this is correct or not.  For instance, I discovered there is a fields link within Settings and I can get to Field Alisases, trim the list to "oracle" and I see stuff reporting from Oracle Audit, Oracle Database, Oracle Listener, Oracle Instance, Oracle Session, Oracle SysPerf, etc...

My understanding is the Splunk Index (this is a file?) is used by Splunk in searching for Keywords (are these fields?).  Thus, if the index contains ONLY the source / sourcetype information, then I'm gold and I simply need to define what those 17 stats are actually from/ for.  However, I also know that cannot be true as I can search on a Host=<something> which is not in that list.

I do hope that makes sense.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2024 07:30 AM

I agree with @sjringo but offer this faster query to find the information

| tstats count where index=foo by sourcetype

Splunk doesn't store data in tables so there's no equivalent to a SQL table dump.  You can use the fieldsummary command to see what fields are in the index along with their values.

index = foo | fieldsummary
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

texascj
Path Finder
‎09-09-2024 07:40 AM

This is much more helpful.  Running:

index=<name> | fieldsummary

Gives me 2.4 million+ events and 261 Statistics.  I presume then the 261 would be the sum total of disparate fields available to any of my queries.  Should that be true then I need only investigate each one to see what the heck they are and figure out if they are of any use.

Not a small task, but I know more now than I did 30 minutes ago.  😕

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top