I would like to export a list of the fieldnames in any given search. How could I do this?
This will give you a single row with one column for every field, where the cell values are the distinct counts:
<your search> | stats dc(*) as *
and then tacking the transpose command on the end will flip it around:
<your search> | stats dc(*) as * | transpose
It'll be MUCH faster to run this search in the 'advanced charting' view instead of the default search UI, but once it's run you should be able to use the UI to export it as you would a regular search.
Since the original answer in 2010, we now have the fieldsummary
command, so you can list the fields from a search:
yoursearchhere | fieldsummary
This command provides a lot more info than just the field names, though. So you might want to do this
yoursearchhere | fieldsummary | fields field
how to do this without getting _time and _raw?
this worked for me
... | stats dc(c*)
look for fields beginning with c
,
... | stats dc(c*) | transpose
look for fields beginning with c
, transpose just flips it
Now what i want to know is how to insert row number when i flip it using transpose
?
found it here
... | stats dc(c*) | transpose | streamstats count as row | fields row *
Just a quick addition to what Nick said.
If you want to also see hidden fields, you can do so with a search like this:
... | rename _* AS aHiddenField__* | stats dc(*) as * | transpose | replace "aHiddenField__*" with "_*" in column
Update: As pointed out in a commend below, that this can be further simplified like so:
... | stats dc(_*) as aHiddenField__* dc(*) as * | transpose | replace "aHiddenField__*" with "_*" in column
Both of these approaches simply rename hidden fields temporarily (they are given a hopefully unique prefix). Afterwards we use a replace
to return the fields to their original names.
If you want hidden fields, you can also do ... | stats dc(_*) as xxx_* , dc(*) as *
instead, or just ... | stats dc(_*),dc(*)
This will give you a single row with one column for every field, where the cell values are the distinct counts:
<your search> | stats dc(*) as *
and then tacking the transpose command on the end will flip it around:
<your search> | stats dc(*) as * | transpose
It'll be MUCH faster to run this search in the 'advanced charting' view instead of the default search UI, but once it's run you should be able to use the UI to export it as you would a regular search.
This works in Splunk 6.2.1 only if you add an asterisk after the as, like so:
<your search> | stats dc() as * | transpose
Is there a way to output only the fields identified in transforms.conf?
If not, can you ordered the fields by the percentage of events that contain those fields?
I found it. I was looking at the 4.0 examples and had not noticed that a new one for 4.1 was released. Here is the URL for anyone following along: http://www.splunkbase.com/apps/All/4.x/Add-On/app:UI+Examples+for+4.1
Nick, I can't find that section in the ui_example
apps. I downloaded the latest copy of the app (1.1 from Jan 19, 2010) -- from this URL http://www.splunkbase.com/apps/All/4.x/Add-On/app:UI+Examples But I am unable to find the view which contains this information. Is there a newer version somewhere else?
Indeed. flashtimeline will dispatch even the simplest reporting command in a way that incurs huge expense. Check out the 'Affecting Search Performance' section of the ui_examples app. The examples and the copy in there will give you a quick tour of the issues.
Advanced charting will be faster primarily because it doesn't need to keep track of a top
for every single field in addition to the main search.
I'm not sure about the "advanced charting" speed up thing. Doesn't the very nature of a stats "dc(*)"
mean that all fields have to be extracted anyways. It seems like will be an expensive operation no matter what.