Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Retrieving all fields that have a certain value

andra_pietraru
Path Finder
‎04-02-2015 06:07 AM

My events have a few fields that are of the type:
field_Name=failed
What query should I write to get all that fields names? something that would mean any_field="failed" and retrieve me the name of that field.
I have just started writting queries in Splunk and any help would be much appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-06-2015 12:50 PM

Try something like this:

 ... your search
| fieldsummary
| search values=*failed*
| table field

You could actually use eval and the mvsplit on the values field too but it'd be a bit more work to clean it up.

View solution in original post

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎11-17-2017 06:59 AM

Another good solution to this would be to | transpose the fields. This will turn your column names into rows with a new header. This will then give you the ability to do | search field=value

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎04-06-2015 04:11 PM

Hello every body!. here is my solution using regular expressions, although i don't know how is your events but if I had a sample of your data, I would have given you the exact search . I suppose that field_Name=failed figure in your events (raw data)

Try this: 

................|rex "(?i)^[^\?]*\?(?P<field_Name>[^=]+)=failed"|where field_Name!=""|table field_Name

Here is an example with the _internal index, that you can test.

index=_internal|rex "(?i)^[^\?]*\?(?P<field_Name>[^=]+)=json"|where field_Name!=""|table field_Name

If you still have problems, let's get a sample of your events.

SGF
0 Karma
Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-06-2015 12:50 PM

Try something like this:

 ... your search
| fieldsummary
| search values=*failed*
| table field

You could actually use eval and the mvsplit on the values field too but it'd be a bit more work to clean it up.

Reply
Solved! Jump to solution

andra_pietraru
Path Finder
‎04-07-2015 01:07 AM

It did exactly what I wanted to: list all fields with "failed" as value. Thanks!

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-02-2015 09:03 AM

If you search for "failed" - how many fields do you get ? Can you just inspect the fields sidebar for potential matches?

Ultimately, it sounds like the key-value pairings are reversed - using values to search for keys ?

0 Karma
Reply
Solved! Jump to solution

andra_pietraru
Path Finder
‎04-02-2015 11:18 PM

I have about 15 different fields that may have "failed" as a value (not all in the same event). Inspecting the fields sidebar doesn't help very much since I would like to have an overview of all that fields , not just one.
You're right, I'm trying to use the value "failed" to retrieve all fields that have it.

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-06-2015 12:51 PM

I submitted an answer. Good luck !

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...