Splunk Search

How can I search for all fields that have a certain string?

net1993
Path Finder

Hello

How can I get only results for specific fields where field name is like something ?

fx.
get all fields which have "status" in their field name.

I tried this but It doesnt work:
sta*
I want also to do later this:

sta* OR STA* OR Sta*

Thank you in advance

Tags (2)
0 Karma
1 Solution

kmaron
Motivator
| fieldsummary  sta* STA* Sta*

View solution in original post

kmaron
Motivator
| fieldsummary  sta* STA* Sta*

net1993
Path Finder

Exactly this. Thanks !

0 Karma

Vijeta
Influencer

You want to see fieldnames that have status in them and not the field values that have status in them if I understood correctly? If that is the case you can do- | table status

0 Karma

net1993
Path Finder

yes but not sure if we talk for same.
please refer to @kmaron response as it is exactly what I was looking for

0 Karma

sudosplunk
Motivator

If "status" field is extracted, then you can run index=idx sourcetype=st status=*. This will give all events which have status field.

0 Karma

net1993
Path Finder

I think the questioned is not understood.

My problem is that I dont know that status is called status.
It might be status_20 or status_Main
so what I want to find is all fields which starts with st*

0 Karma

sudosplunk
Motivator

So the field is not extracted. Try running *status* or *sta* to see exact name and then extract the field.

0 Karma

net1993
Path Finder

but from what I understood by other post, such a searching will look only in value but not in field name. Isn't that correct?

What do you mean by extracted for field?
Do you mean that extracted => the field will be lying in left under fields ..?

0 Karma

sudosplunk
Motivator

Searching with *string* will search for all the raw events containing string. For example if searched for *status*, splunk will output all the events which contains failed_status, success_status, status, status_failed, status_success

If you say status=fail* then splunk will look only in value of the field called status.

What do you mean by extracted for field?
Do you mean that extracted => the field will be lying in left under fields ..?

Yes. Under "INTERESTING FIELDS" column. After figuring out the name you want to use for status, you can extract a field with that name and use it for future searches.

0 Karma

net1993
Path Finder

ok so can tell that the field is already extracted. What my primary goal is that I dont want to screen all available column in left.
I am lazy 😄 so I want to display in front of my eyes in search all field (extracted) which start with "st"

and I guess that status by itself is not in raw data but a metadata.?

0 Karma

sudosplunk
Motivator

Alright, first step is to search for all raw events which have "status" string by using *status* or *stat*. - This will give you an idea about how "status" is represented.

Next step is to extract "status" field so that it will show up in the left column under "Interested fields". - For this provide redacted events from the above output results which shows all possible values for "status" and I can help you build a regex for field extraction.

0 Karma

net1993
Path Finder

ok I try that and give feedback
Thank you @sudosplunk

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...