Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a query that will table and display the triple: <index:sourcetype:field>

JohnEGones
Communicator
‎07-18-2023 05:25 AM

Hi people,

There was a good answer provided to part of this question here: Solved: Re: How to display a list of fields for an index? - Splunk Community

Taking this further, how would I join the index and sourcetype pair for each field name so I would end up with something like this:

someIndex.someSourcetype.someFieldname

index=firewall sourcetype=firewall1 

fieldnames: host, source, srcip, dest, etc etc.

firewall.firewall1.srcip

firewall.firewall1.dest

firewall.firewall1.destport

....



index=networkdevices sourcetype=ids1 (sourcetype=ids2...)

networkdevices.ids1.src

networkdevices.ids2.dest

...

networkdevices.router1.src

....



index=someApp sourcetype=someTCPsource 

someApp.someTCPsource.src

someApp.someTCPsource.randomField1

....

 

Or, alternately, could I take the results of this query and run some modification of the search you proposed to dump the fieldname for  each index:sourcetype pair?

 

something like:

| tstats values(field) as Field, count where index=* AND sourcetype=* by index, sourcetype
Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎07-18-2023 08:27 AM

You can't use the tstats variant unless your fields are indexed.

That other post is about getting the VALUES of the fields not the field names

If you want to get a list of fields with a known index and sourcetype then you can do

index=firewall sourcetype=firewall
| fieldsummary maxvals=1
| eval triplet="firewall.firewall.".field
| table triplet

Unfortunately fieldsummary does not persist the index and sourcetype in its results, so it's not possible to use that if you want to get the triplet from a variable set of indexes or sourcetypes.

This can be achieved this way

index=your_list_of_indexes_and_sourcetypes
| stats values(*) as * by index sourcetype
| foreach * [ eval fields=mvappend("<<MATCHSTR>>", fields) ]
| table index sourcetype fields
| mvexpand fields
| eval triplet=index.".".sourcetype.".".fields
| table triplet

the initial stats is really an optimisation so the foreach will run on fewer events - then the foreach is a critical part that is listing the field NAMES into the 'fields' field.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

JohnEGones
Communicator
‎07-19-2023 09:22 AM

This is awesome thanks. 

I have used Splunk in perhaps a more basic way for years, and I am finally starting to really dig in. I am appreciating all the help and guidance I am getting. 😊

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎07-18-2023 08:27 AM

You can't use the tstats variant unless your fields are indexed.

That other post is about getting the VALUES of the fields not the field names

If you want to get a list of fields with a known index and sourcetype then you can do

index=firewall sourcetype=firewall
| fieldsummary maxvals=1
| eval triplet="firewall.firewall.".field
| table triplet

Unfortunately fieldsummary does not persist the index and sourcetype in its results, so it's not possible to use that if you want to get the triplet from a variable set of indexes or sourcetypes.

This can be achieved this way

index=your_list_of_indexes_and_sourcetypes
| stats values(*) as * by index sourcetype
| foreach * [ eval fields=mvappend("<<MATCHSTR>>", fields) ]
| table index sourcetype fields
| mvexpand fields
| eval triplet=index.".".sourcetype.".".fields
| table triplet

the initial stats is really an optimisation so the foreach will run on fewer events - then the foreach is a critical part that is listing the field NAMES into the 'fields' field.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...