Solved: Retrieving all fields that have a certain value

andra_pietraru · ‎04-02-2015

My events have a few fields that are of the type:
field_Name=failed
What query should I write to get all that fields names? something that would mean any_field="failed" and retrieve me the name of that field.
I have just started writting queries in Splunk and any help would be much appreciated!

aljohnson_splun · ‎04-06-2015

Try something like this:

 ... your search
| fieldsummary
| search values=*failed*
| table field

You could actually use eval and the mvsplit on the values field too but it'd be a bit more work to clean it up.

View solution in original post

skoelpin · ‎11-17-2017

Another good solution to this would be to | transpose the fields. This will turn your column names into rows with a new header. This will then give you the ability to do | search field=value

stephanefotso · ‎04-06-2015

Hello every body!. here is my solution using regular expressions, although i don't know how is your events but if I had a sample of your data, I would have given you the exact search . I suppose that field_Name=failed figure in your events (raw data)

Try this:

................|rex "(?i)^[^\?]*\?(?P<field_Name>[^=]+)=failed"|where field_Name!=""|table field_Name

Here is an example with the _internal index, that you can test.

index=_internal|rex "(?i)^[^\?]*\?(?P<field_Name>[^=]+)=json"|where field_Name!=""|table field_Name

If you still have problems, let's get a sample of your events.

SGF

aljohnson_splun · ‎04-06-2015

Try something like this:

 ... your search
| fieldsummary
| search values=*failed*
| table field

You could actually use eval and the mvsplit on the values field too but it'd be a bit more work to clean it up.

andra_pietraru · ‎04-07-2015

It did exactly what I wanted to: list all fields with "failed" as value. Thanks!

aljohnson_splun · ‎04-02-2015

If you search for "failed" - how many fields do you get ? Can you just inspect the fields sidebar for potential matches?

Ultimately, it sounds like the key-value pairings are reversed - using values to search for keys ?

andra_pietraru · ‎04-02-2015

I have about 15 different fields that may have "failed" as a value (not all in the same event). Inspecting the fields sidebar doesn't help very much since I would like to have an overview of all that fields , not just one.
You're right, I'm trying to use the value "failed" to retrieve all fields that have it.

aljohnson_splun · ‎04-06-2015

I submitted an answer. Good luck !

Retrieving all fields that have a certain value

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk