Just some quick points: --fields are specific to the index they are apart of, they may not exist across indexes (though this is less problematic if your data is properly normalized.) --have you done the queries to interrogate the data, as it exists, in your environment and identified which indexes and fields you want exist as needed (cf. PickleRick's comment about use case)? Some other, hopefully relevant, thoughts (and which, from my experience, are sometimes useful in providing food for thought and context--especially for greener admins like me.) To add to the other relevant responses, and more generally in working with Splunk, and this does depend on whether you are a user or an admin (and even here this may mean different things depending on your organization) and trying to craft queries about data in your environment, it matters how you are configuring the ingestion (including, depending, the related architecture, like if there is a syslog server, or some TA needed), setting up the indexes, configuring what counts as a source (a hint that there is a ton of customizability to Splunk), setting a schema for hostnames , either auto-extracted during ingestion or otherwise configured in a CONF or using a look-up. Because there is a fairly large degree of customizability and arbitrariness in configurations (which may simply more reflect your environment (and its architecture), what your business wants/needs, etc.), what is being ingested, how it is labeled (are you specifying this, setting a schema, or just letting a TA or Splunk figure it out), whether there are standards for anything (internal to your organization or company policy etc.), it can sometimes be hard to give specific advice outside of you spelling out all of the particulars. In your case, some better sense of what is indexed, tagged and what fields are available, per index, since the fields exist inside of the index, per source, rather than necessarily being standard (which is helped by following CIM normalization best practices), will help you enormously in taking care of tasks like this. The larger idea here is to be kind to your future self and to others who have to interact and admin your Splunk environment, follow best practices that make these tasks easier. REFs: https://docs.splunk.com/Documentation/CIM/5.3.2/User/UsetheCIMtonormalizedataatsearchtime https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Getstartedwithgettingdatain https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Data/Aboutindexedfieldextraction https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-use-splunk-to-create-a-CMDB-like-table-of-asset-info/m-p/657338 https://splunkbase.splunk.com/
... View more