×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
lost_alex
Observer
Member since: ‎05-06-2022
‎05-06-2022
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-06-2022
View All

Re: Show all fields for a list of sources and show...

by in Splunk Search
‎05-06-2022 02:57 AM
‎05-06-2022 02:57 AM
Thank you very much for your response. My idea is to cover situations where I build a query, I use some fields with conditions (as example: reputation=5) and looking to multiple sources. The problem is that not all sources have field reputation and by simply adding the sources in a macro, for example, it will give me the false fact that the source is covered by that specific scenario.  Since I am using fields that should exist in every event, if there are no values within 7 days, it means that field doesn't exist for that source. One option would be to be specific about fields I am interested rather than making a list of 700 fields where I would need only 3 but the idea was to create a list of these 700 fields for 50 sources and check for each use case if the used fields are in the list and for which source. ... View more

Show all fields for a list of sources and show 1 f...

by in Splunk Search
‎05-06-2022 01:36 AM
‎05-06-2022 01:36 AM
Dear community, I am using this community since years, so far I've found everything I needed. Now I am stuck!!! I am trying the following: I want to list all the index'es fields so when I build a query, to know immediately if a specific source has that field. Second part is easy. Once I have the list I know what I need to do. So, basically, I need something like this: Fields index1 index2 index3 indexn field1 1 1 0 1 field2 0 0 1 1 fieldn 1 1 1 1   where 0 is when the field doesn't exist, 1 there is at least one value in the specific field. My search looks like: index IN ( index 1 index2 indexn ) | stats count(*) as * by index | transpose column_name=Field header_field=index |outputlookup whateverfile.csv The problem with this search is that it takes ages, I don't need a full count. I just need to count the first value it gets and stop and then move on. In this way I will have a count of 0 if the field doesn't exist, 1 if exists. Any ideas?     ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-06-2022 09:48 AM