Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to search and list all attributes from a data model?

spammenot66
Contributor
‎05-20-2016 09:18 PM

Is there a way to search and list all attributes from a data model in a search? For example if my data model consists of three attributes (host, uri_stem,referrer), is there a way to search the data model and list these three attributes into a search? Ideally, I would like to list these attributes and dynamically display values into a drop-down.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎05-21-2016 05:42 AM

Try this

| datamodel mydatamodel | spath | rename "objects{}.fields{}.displayName" AS fields | table fields | mvexpand fields

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎05-21-2016 05:42 AM

Try this

| datamodel mydatamodel | spath | rename "objects{}.fields{}.displayName" AS fields | table fields | mvexpand fields
Reply
Solved! Jump to solution

xoriantkbisht
Explorer
‎01-22-2020 11:43 PM

Hi Sundareshr,
When i am running this query, it is not listing the auto extracted fields which i have added. But if i am using pivot, it is showing results in pivot for my added fields. Can you tell me what actions should i take for this ? so that these fields will get added and i can run search query for those 2 fields

0 Karma
Reply
Solved! Jump to solution

spammenot66
Contributor
‎05-25-2016 01:21 PM

you rule! this |datamodel command worked wonders for me.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-21-2016 05:45 AM

Or this one 😉

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-21-2016 05:41 AM

The command you're looking for is called pivot:

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Pivot

It's a little difficult to get used to so I recommend reading the documentation but here's a search using an out of the box datamodel

| pivot internal_audit_logs Audit count(Audit) AS "Count of Audit"

And here is another example with split rows (to list the values of each):

| pivot internal_server server count(server) AS "count(server)" SPLITROW host AS host SPLITROW source AS source SPLITROW sourcetype AS sourcetype

0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...