Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to list fields, values and also index and source names using fieldsummary

chanmic
New Member
‎01-03-2017 07:30 PM

Hi All,

I need to look for specific fields in all my indexes. Using fieldsummary, I am able to get a listing of my specific fields, count, distinct_count and values, but I also like to add 2 new columns so it would also give the index and the source names.

Is there a way to do this with fieldsummary or would there be an alternatively.

Thanks.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎01-04-2017 01:14 AM

See if the following helps and run it against last 24 hours or less if possible (careful as it will be a bit slow):

| tstats count WHERE index=* GROUPBY index, sourcetype
| fields - count
| rename index AS indexname, sourcetype AS sourcetypename
| map maxsearches=5 search="| search index=\"$indexname$\" sourcetype=\"$sourcetypename$\" | head 100 | fieldsummary | eval index=\"$indexname$\", sourcetype=\"$sourcetypename$\" | fields index, sourcetype, *"

You can play with the maxsearches value to match your needs once you have the final version as it can't be unlimited I'm afraid.
If you want the source instead of the sourcetype simply replace it in the query above.

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎01-04-2017 01:14 AM

See if the following helps and run it against last 24 hours or less if possible (careful as it will be a bit slow):

| tstats count WHERE index=* GROUPBY index, sourcetype
| fields - count
| rename index AS indexname, sourcetype AS sourcetypename
| map maxsearches=5 search="| search index=\"$indexname$\" sourcetype=\"$sourcetypename$\" | head 100 | fieldsummary | eval index=\"$indexname$\", sourcetype=\"$sourcetypename$\" | fields index, sourcetype, *"

You can play with the maxsearches value to match your needs once you have the final version as it can't be unlimited I'm afraid.
If you want the source instead of the sourcetype simply replace it in the query above.

Reply
Solved! Jump to solution

chanmic
New Member
‎01-05-2017 07:09 PM

Thanks Javiergn

0 Karma
Reply
Solved! Jump to solution

AishBhardwaj
New Member
‎04-13-2020 06:02 PM

Is there a way to get difference in two searches using the above search?
Basically I am trying to see the difference in fields today from yesterday and I also want to display the source name and index.
I can easily find the difference but I can’t display the index name and source name with it. The above query seems to serve the purpose but I can’t figure out how to use this in my case. Any help appreciated.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-13-2020 06:12 PM

please ask by another question and provide sample query.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...