How do I search for and return extracted fields li...

maverick · ‎04-18-2011

In other words, I want to first search on some events, and then I would like to create a table and include a column in that table containing the list of the extracted Field names.

Has anyone done this already or know what the Fields metadata name is to build this type of field of Fields, if you will?

gkanapathy · ‎04-18-2011

Simple:

... | transpose | fields column

hazekamp · ‎04-18-2011

Much simpler!

hazekamp · ‎04-18-2011

I am not familiar with a way to do this out-of-the box, so here's a search command for this...listfields will return a single column named "field" with each field found in the search as a result row. Example search would be: "* | head 10 | listfields | search field=foo".

## commands.conf
[listfields]
filename = listfields.py
retainsevents = false
streaming = false
supports_multivalues = true

## listfields.py
import os
import re
import sys
import splunk.Intersplunk

if __name__ == '__main__':

    try:

        results = splunk.Intersplunk.readResults(None, None, True)
        fields = []

        if len(results) > 0:
          for k,v in results[0].items():
            field = {}
            field['field'] = k
            fields.append(field)

        results = fields

    except Exception, e:
        results = splunk.Intersplunk.generateErrorResults(str(e))

    splunk.Intersplunk.outputResults(results)

How do I search for and return extracted fields list in a table?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!