Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search that lists all fields? (and data validation question)

mbasharat
Builder
‎06-20-2019 09:30 AM

Hi,
I am looking to create a search that allows me to get a list of all fields in addition to below:

| tstats count WHERE index=ABC by index, source, sourcetype, _time
| fieldformat "_time"=strftime('_time', "%m/%d/%Y %T")
 | sort by _time Desc

How can I add field name in addition to results below in above SPL and get counts? I want to have an alternate version WITHOUT using tsats as well. So need both versions, with and without tstats.

Either I am missing a tiny piece above or brain needs some rest at the moment 🙂 Thanks in-advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎06-22-2019 11:04 PM

@mbasharat you can try one of my older answers which lists two options that you can try

https://answers.splunk.com/answers/590143/how-to-dynamically-populate-field-names-in-dropdow.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎06-22-2019 11:04 PM

@mbasharat you can try one of my older answers which lists two options that you can try

https://answers.splunk.com/answers/590143/how-to-dynamically-populate-field-names-in-dropdow.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎06-20-2019 10:28 AM

are you looking for something like this?

| tstats count WHERE index="_audit" by index, source, sourcetype, _time
| fieldformat "_time"=strftime('_time', "%m/%d/%Y %T")
| sort by _time Desc 
    | appendcols 
    [search index="_audit"
    | table *]

NOTE - the default _audit index has been considered here so that you can run the code as is

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎06-20-2019 10:50 AM

Is there a field name that I can use below so my results include the field names as well and then respective counts?

| tstats count WHERE index=ABC by index, source, sourcetype, fieldname (like * or something that gives me list of fields as well), _time
| fieldformat "_time"=strftime('_time', "%m/%d/%Y %T")
| sort by _time Desc

In your provided query, appendcols are providing results. But I want the field names in the header to be in the column with respective event counts

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎06-20-2019 11:20 AM

hi @mbasharat - Can you give some example mock up based on the _audit index if possible?
I am not able to understand your desired output

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...