Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Retrieving all fields that have a certain value

andra_pietraru
Path Finder
‎04-02-2015 06:07 AM

My events have a few fields that are of the type:
field_Name=failed
What query should I write to get all that fields names? something that would mean any_field="failed" and retrieve me the name of that field.
I have just started writting queries in Splunk and any help would be much appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-06-2015 12:50 PM

Try something like this:

 ... your search
| fieldsummary
| search values=*failed*
| table field

You could actually use eval and the mvsplit on the values field too but it'd be a bit more work to clean it up.

View solution in original post

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎11-17-2017 06:59 AM

Another good solution to this would be to | transpose the fields. This will turn your column names into rows with a new header. This will then give you the ability to do | search field=value

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎04-06-2015 04:11 PM

Hello every body!. here is my solution using regular expressions, although i don't know how is your events but if I had a sample of your data, I would have given you the exact search . I suppose that field_Name=failed figure in your events (raw data)

Try this: 

................|rex "(?i)^[^\?]*\?(?P<field_Name>[^=]+)=failed"|where field_Name!=""|table field_Name

Here is an example with the _internal index, that you can test.

index=_internal|rex "(?i)^[^\?]*\?(?P<field_Name>[^=]+)=json"|where field_Name!=""|table field_Name

If you still have problems, let's get a sample of your events.

SGF
0 Karma
Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-06-2015 12:50 PM

Try something like this:

 ... your search
| fieldsummary
| search values=*failed*
| table field

You could actually use eval and the mvsplit on the values field too but it'd be a bit more work to clean it up.

Reply
Solved! Jump to solution

jokertothequinn
Path Finder
‎09-04-2024 04:11 AM 
| fieldsummary
| search values=*\"value\":\"<what value you exactly want to check>\"*
| table field
0 Karma
Reply
Solved! Jump to solution

andra_pietraru
Path Finder
‎04-07-2015 01:07 AM

It did exactly what I wanted to: list all fields with "failed" as value. Thanks!

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-02-2015 09:03 AM

If you search for "failed" - how many fields do you get ? Can you just inspect the fields sidebar for potential matches?

Ultimately, it sounds like the key-value pairings are reversed - using values to search for keys ?

0 Karma
Reply
Solved! Jump to solution

andra_pietraru
Path Finder
‎04-02-2015 11:18 PM

I have about 15 different fields that may have "failed" as a value (not all in the same event). Inspecting the fields sidebar doesn't help very much since I would like to have an overview of all that fields , not just one.
You're right, I'm trying to use the value "failed" to retrieve all fields that have it.

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-06-2015 12:51 PM

I submitted an answer. Good luck !

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...