Splunk Search

How to extract field names against values in one (or more field)?

gordone
Explorer

Hi guys,

 

Looking for help framing a query for the following scenario:

index=index  "designated field"

 

Events show the that there are multiple values for the field  (these are log message types):

Type1 

Type2

Type3

....

TypeN

 

Want to enumerate all of the fields that are associated with each: designated_field.TypeN (i.e. each log message type has sub-fields associated with each log message type.)


So for Type1:

Field1_Type1

Field2_Type1

Field3_Type1

 

for Type2:

Field1_Type1

Field2_Type2

 

etc.

 

======================================

 

So I am imagining my query goes like this:

 

index=index1 designated_field

| <enumerate each of the values in designated_field>

| <pull our the field names for each of the values that were enumerated>

| <form a table with a column listing the values and then a second column showing all of the field names associated with each value>

 

 

 

Labels (3)
0 Karma

gordone
Explorer

Hi ITWhisperer,

Thanks for taking the time to respond. I had thought I had responded to this, but it seems the forum ate my reply.

Mock Output:

_______________________________________________________________________________

Time                                  Designated_Field                                                                Sub-Field Name

21:21                                  01 - Logon                                                                             User

                                                                                                                                                 Host

                                                                                                                                                 Domain

 

21:22                                02 - Logoff                                                                                User

                                                                                                                                                   Host

                                                                                                                                                   Domain

21:23                                    04 - IP Address Assigned                                                 Host

                                                                                                                                                    Domain

                                                                                                                                                    NS Server

                                                                                                                                                    IP Type

_____________________________________________________________________________

 

NOTE: Designated_Field is a field, whose values are extracted and displayed per event, in the third column are the sub-field names associated with the values in the second column.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am not sure I understand the ask here - please can you share some realistic events and a representation of your expected output. Please include the events in a code block </> to preserve the formatting of the events.

0 Karma

gordone
Explorer

Hi ITWhisperer,

Thanks for engaging my question. 

 

Reponse:

 

----------------------------------

Time                                     |         Designated_Field                                      |      Sub-Field

____________________________________________________________________________

21:23                                              01 - Logon                                                           User

                                                                                                                                           Host

                                                                                                                                           Logon Domain

 

21:25                                                 02 - Logoff                                                         User

                                                                                                                                             Host

                                                                                                                                            Logon Domain

 

________________________________________________________________________________

 

So note that (01 - Logon, 02 - Logoff) are the values in the field: Designated_FieldBy contrast, (User, Host, Logon Domain) are field names  (like Designated_Field).

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...