Solved: Re: Retrieving all fields that have a certain valu...

andra_pietraru · ‎04-02-2015

My events have a few fields that are of the type:
field_Name=failed
What query should I write to get all that fields names? something that would mean any_field="failed" and retrieve me the name of that field.
I have just started writting queries in Splunk and any help would be much appreciated!

aljohnson_splun · ‎04-06-2015

Try something like this:

 ... your search
| fieldsummary
| search values=*failed*
| table field

You could actually use eval and the mvsplit on the values field too but it'd be a bit more work to clean it up.

View solution in original post

skoelpin · ‎11-17-2017

Another good solution to this would be to | transpose the fields. This will turn your column names into rows with a new header. This will then give you the ability to do | search field=value

stephanefotso · ‎04-06-2015

Hello every body!. here is my solution using regular expressions, although i don't know how is your events but if I had a sample of your data, I would have given you the exact search . I suppose that field_Name=failed figure in your events (raw data)

Try this:

................|rex "(?i)^[^\?]*\?(?P<field_Name>[^=]+)=failed"|where field_Name!=""|table field_Name

Here is an example with the _internal index, that you can test.

index=_internal|rex "(?i)^[^\?]*\?(?P<field_Name>[^=]+)=json"|where field_Name!=""|table field_Name

If you still have problems, let's get a sample of your events.

SGF

aljohnson_splun · ‎04-06-2015

Try something like this:

 ... your search
| fieldsummary
| search values=*failed*
| table field

You could actually use eval and the mvsplit on the values field too but it'd be a bit more work to clean it up.

jokertothequinn · ‎09-04-2024

| fieldsummary
| search values=*\"value\":\"<what value you exactly want to check>\"*
| table field

andra_pietraru · ‎04-07-2015

It did exactly what I wanted to: list all fields with "failed" as value. Thanks!

aljohnson_splun · ‎04-02-2015

If you search for "failed" - how many fields do you get ? Can you just inspect the fields sidebar for potential matches?

Ultimately, it sounds like the key-value pairings are reversed - using values to search for keys ?

andra_pietraru · ‎04-02-2015

I have about 15 different fields that may have "failed" as a value (not all in the same event). Inspecting the fields sidebar doesn't help very much since I would like to have an overview of all that fields , not just one.
You're right, I'm trying to use the value "failed" to retrieve all fields that have it.

aljohnson_splun · ‎04-06-2015

I submitted an answer. Good luck !

Retrieving all fields that have a certain value

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation