Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to search and list all attributes from a data model?

spammenot66
Contributor
‎05-20-2016 09:18 PM

Is there a way to search and list all attributes from a data model in a search? For example if my data model consists of three attributes (host, uri_stem,referrer), is there a way to search the data model and list these three attributes into a search? Ideally, I would like to list these attributes and dynamically display values into a drop-down.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎05-21-2016 05:42 AM

Try this

| datamodel mydatamodel | spath | rename "objects{}.fields{}.displayName" AS fields | table fields | mvexpand fields

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎05-21-2016 05:42 AM

Try this

| datamodel mydatamodel | spath | rename "objects{}.fields{}.displayName" AS fields | table fields | mvexpand fields
Reply
Solved! Jump to solution

xoriantkbisht
Explorer
‎01-22-2020 11:43 PM

Hi Sundareshr,
When i am running this query, it is not listing the auto extracted fields which i have added. But if i am using pivot, it is showing results in pivot for my added fields. Can you tell me what actions should i take for this ? so that these fields will get added and i can run search query for those 2 fields

0 Karma
Reply
Solved! Jump to solution

spammenot66
Contributor
‎05-25-2016 01:21 PM

you rule! this |datamodel command worked wonders for me.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-21-2016 05:45 AM

Or this one 😉

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-21-2016 05:41 AM

The command you're looking for is called pivot:

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Pivot

It's a little difficult to get used to so I recommend reading the documentation but here's a search using an out of the box datamodel

| pivot internal_audit_logs Audit count(Audit) AS "Count of Audit"

And here is another example with split rows (to list the values of each):

| pivot internal_server server count(server) AS "count(server)" SPLITROW host AS host SPLITROW source AS source SPLITROW sourcetype AS sourcetype

0 Karma
Reply
Get Updates on the Splunk Community!

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...

Splunk and TLS: It doesn't have to be too hard

Overview Creating a TLS cert for Splunk usage is pretty much standard openssl.  To make life better, use an ...