Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search that lists all fields? (and data validation question)

mbasharat
Builder
‎06-20-2019 09:30 AM

Hi,
I am looking to create a search that allows me to get a list of all fields in addition to below:

| tstats count WHERE index=ABC by index, source, sourcetype, _time
| fieldformat "_time"=strftime('_time', "%m/%d/%Y %T")
 | sort by _time Desc

How can I add field name in addition to results below in above SPL and get counts? I want to have an alternate version WITHOUT using tsats as well. So need both versions, with and without tstats.

Either I am missing a tiny piece above or brain needs some rest at the moment 🙂 Thanks in-advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎06-22-2019 11:04 PM

@mbasharat you can try one of my older answers which lists two options that you can try

https://answers.splunk.com/answers/590143/how-to-dynamically-populate-field-names-in-dropdow.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎06-22-2019 11:04 PM

@mbasharat you can try one of my older answers which lists two options that you can try

https://answers.splunk.com/answers/590143/how-to-dynamically-populate-field-names-in-dropdow.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎06-20-2019 10:28 AM

are you looking for something like this?

| tstats count WHERE index="_audit" by index, source, sourcetype, _time
| fieldformat "_time"=strftime('_time', "%m/%d/%Y %T")
| sort by _time Desc 
    | appendcols 
    [search index="_audit"
    | table *]

NOTE - the default _audit index has been considered here so that you can run the code as is

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎06-20-2019 10:50 AM

Is there a field name that I can use below so my results include the field names as well and then respective counts?

| tstats count WHERE index=ABC by index, source, sourcetype, fieldname (like * or something that gives me list of fields as well), _time
| fieldformat "_time"=strftime('_time', "%m/%d/%Y %T")
| sort by _time Desc

In your provided query, appendcols are providing results. But I want the field names in the header to be in the column with respective event counts

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎06-20-2019 11:20 AM

hi @mbasharat - Can you give some example mock up based on the _audit index if possible?
I am not able to understand your desired output

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...