Solved: Return the Field Name from a Common Value Across S...

proletariat99 · ‎01-13-2014

If I do a search like this:

index=* sourcetype=* host=* 1.1.1.1

And I get millions of responses from dozens of sourcetypes, how can I return the name of the field(s) where 1.1.1.1 occurs?

I don't have time to chunk through thousands of possible fields looking for my data. The best suggestion I've heard to date is a rex that looks backwards and returns pre-equal-sign data. I have a hard time believing there isn't an easier / more elegant solution. Can anyone help?

bshuler_splunk · ‎05-01-2014

This example will show you all of the fields which contain the value shelper

index=_internal shelper | fieldsummary | search values=shelper | table field

View solution in original post

bshuler_splunk · ‎05-01-2014

This example will show you all of the fields which contain the value shelper

index=_internal shelper | fieldsummary | search values=shelper | table field

proletariat99 · ‎07-18-2014

If I could vote this up a hundred times, I would. I use this all the time.

Return the Field Name from a Common Value Across Sourcetypes

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!