Solved: Re: list of all indexes and all fields within each...

TonyJobling · ‎01-03-2018

I can obtain a list of fields within an index eg.
index=bind_queries | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

and a list of all indexes,
| eventcount summarize=false index=* index=_* | dedup index

But I'm struggling to successfully join the two.

Anyone know of a solution?

somesoni2 · ‎01-03-2018

Give this a try (will be a painfully slow search, try to put small time range in the map subsearch)

| eventcount summarize=false index=* OR  index=_* | dedup index | map  maxsearches=1000 search="search index=$index$ earliest=-24h| fieldsummary maxvals=1 | eval index=\"$index$\" | table index field | rename field as Fieldnames "

View solution in original post

somesoni2 · ‎01-03-2018

Give this a try (will be a painfully slow search, try to put small time range in the map subsearch)

| eventcount summarize=false index=* OR  index=_* | dedup index | map  maxsearches=1000 search="search index=$index$ earliest=-24h| fieldsummary maxvals=1 | eval index=\"$index$\" | table index field | rename field as Fieldnames "

sarit_s · ‎07-03-2023

Thanks
The problem is that it returns '1' in the current size column for all the indexes

ajobling1964 · ‎01-03-2018

That seems to do the trick; I was not aware of the map command before. thanks.

richgalloway · ‎01-03-2018

@ajobling, if your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

How to list of all indexes and all fields within each index?

stats

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?