Hi,
Trying to get the count of extracted fields per index. I am using the following search for this:
index=*|fieldsummary|stats count
This gives me the entire list of all fields in all index.
Also "stats count by index" doesnt work as fieldsummary doesnt have index value. How can we get the field count per index.
How about this one:
index=summary sourcetype=stash source IN (Summary_Error_*)
| fields + *
| stats mode(*) AS #* by search_name
| transpose header_field=search_name column_name=fieldName
| eval type=if(match(fieldName,"#(_raw|date_.*|eventtype|tag.*|index|sourcetype|host|info_.*|punct|time*.?pos|search_name|search|search_now|splunk_server.*|linecount)"),"internal","custom")
| stats count(*) AS * BY type
| transpose column_name=search_name header_field=type
| rename "row 1" AS fieldCount
| search search_name!=fieldName
It was used for summary index by might as well be used other ways.
Can also be accomplished over time by:
index=summary sourcetype=stash source IN (Summary_Error_*)
| fields + *
| bin _time span=1d
| eval search_name=search_name+"#"+_time
| stats mode(*) AS * by search_name
| transpose 1000 header_field=search_name column_name=fieldName
| eval type=if(match(fieldName,"(_raw|_time|date_.*|eventtype|tag.*|index|sourcetype|host|info_.*|punct|time*.?pos|search_name|search|search_now|splunk_server.*|linecount)"),"internal","custom")
| stats count(*) AS * BY type
| transpose 1000 column_name=search_name header_field=type
| rename "row 1" AS fieldCount
| search search_name!=fieldName
| rex field=search_name "(?<search_name>[^#]+)#(?<_time>.*)"
| stats max(*) as * BY _time search_name
Give this a try
index=* | chart limit=0 count(*) as * by index | untable index field value | stats count as fieldcount by index
Hi, you just like to know how many times a field has a value? (for a certain index)
I like simple, so how about this?
index= sourcetype= field_name=* | stats count(field_name)
By adding the wildcard for your field, you only search on events that have a value for your field.
If the load on this index is too heavy, or you like to do this regularly, you could also consider writing the results to a summary index. ( | collect index= sourcetype=)
This one has me stumped in terms of how to achieve this with a search. Bear in mind though even if this is possible that the count of extracted fields will vary depending on the app context, the user that you run the search as, and could change constantly depending on the time ranges that you are using.
Is there any chance you could share your use case? There may be another way to achieve what ever it is you are trying to do!
If you're not fussed to do it in a single search then you could run the following search:
index=* | stats values(*) as * by index
and then process the results elsewhere (eg excel, shell script, etc)
I am planning to get the extract fields count per index for past 7 days duration and then compare it with the fields count for today.