Splunk Search

Generate list of all Fields in a Search?

muebel
SplunkTrust
SplunkTrust

I would like to export a list of the fieldnames in any given search. How could I do this?

1 Solution

sideview
SplunkTrust
SplunkTrust

This will give you a single row with one column for every field, where the cell values are the distinct counts:

<your search> | stats dc(*) as *

and then tacking the transpose command on the end will flip it around:

<your search> | stats dc(*) as * | transpose

It'll be MUCH faster to run this search in the 'advanced charting' view instead of the default search UI, but once it's run you should be able to use the UI to export it as you would a regular search.

View solution in original post

lguinn2
Legend

Since the original answer in 2010, we now have the fieldsummary command, so you can list the fields from a search:

yoursearchhere | fieldsummary

This command provides a lot more info than just the field names, though. So you might want to do this

yoursearchhere | fieldsummary | fields field
0 Karma

jzapantis
Path Finder

how to do this without getting _time and _raw?

0 Karma

HattrickNZ
Motivator

this worked for me

... | stats dc(c*) look for fields beginning with c,
... | stats dc(c*) | transpose look for fields beginning with c, transpose just flips it

Now what i want to know is how to insert row number when i flip it using transpose?
found it here
... | stats dc(c*) | transpose | streamstats count as row | fields row *

0 Karma

Lowell
Super Champion

Just a quick addition to what Nick said.

If you want to also see hidden fields, you can do so with a search like this:

... | rename _* AS aHiddenField__* | stats dc(*) as * | transpose | replace "aHiddenField__*" with "_*" in column

Update: As pointed out in a commend below, that this can be further simplified like so:

... | stats dc(_*) as aHiddenField__* dc(*) as * | transpose | replace "aHiddenField__*" with "_*" in column

Both of these approaches simply rename hidden fields temporarily (they are given a hopefully unique prefix). Afterwards we use a replace to return the fields to their original names.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

If you want hidden fields, you can also do ... | stats dc(_*) as xxx_* , dc(*) as * instead, or just ... | stats dc(_*),dc(*)

0 Karma

sideview
SplunkTrust
SplunkTrust

This will give you a single row with one column for every field, where the cell values are the distinct counts:

<your search> | stats dc(*) as *

and then tacking the transpose command on the end will flip it around:

<your search> | stats dc(*) as * | transpose

It'll be MUCH faster to run this search in the 'advanced charting' view instead of the default search UI, but once it's run you should be able to use the UI to export it as you would a regular search.

View solution in original post

helge
Builder

This works in Splunk 6.2.1 only if you add an asterisk after the as, like so:

<your search> | stats dc() as * | transpose
0 Karma

jpass
Contributor

Is there a way to output only the fields identified in transforms.conf?

If not, can you ordered the fields by the percentage of events that contain those fields?

0 Karma

Lowell
Super Champion

I found it. I was looking at the 4.0 examples and had not noticed that a new one for 4.1 was released. Here is the URL for anyone following along: http://www.splunkbase.com/apps/All/4.x/Add-On/app:UI+Examples+for+4.1

0 Karma

Lowell
Super Champion

Nick, I can't find that section in the ui_example apps. I downloaded the latest copy of the app (1.1 from Jan 19, 2010) -- from this URL http://www.splunkbase.com/apps/All/4.x/Add-On/app:UI+Examples But I am unable to find the view which contains this information. Is there a newer version somewhere else?

0 Karma

sideview
SplunkTrust
SplunkTrust

Indeed. flashtimeline will dispatch even the simplest reporting command in a way that incurs huge expense. Check out the 'Affecting Search Performance' section of the ui_examples app. The examples and the copy in there will give you a quick tour of the issues.

gkanapathy
Splunk Employee
Splunk Employee

Advanced charting will be faster primarily because it doesn't need to keep track of a top for every single field in addition to the main search.

0 Karma

Lowell
Super Champion

I'm not sure about the "advanced charting" speed up thing. Doesn't the very nature of a stats "dc(*)" mean that all fields have to be extracted anyways. It seems like will be an expensive operation no matter what.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!