I am trying to create a search that I can use to determine what fields are available for a tstats command. I have a large index with multiple sourcetypes, many of which are extracted at index time. The values of many fields have special characters (e.g., `/ . *` etc.) so the example I found with map does not work directly ( https://answers.splunk.com/answers/339034/is-there-a-way-to-know-which-fields-were-extracted.html ).
I am able to create a table of what I want to use:
index=myindex
| stats first(*) *
| transpose 100 *(I know I have less than 100 fields)*
| rename column AS DATA_FIELD "row 1" AS VALUE
| eval TSFIELD=DATA_FILED."::*"
| table DATAFIELD VALUE TSFIELD
The TSFIELD strings work well in a search:
index=myindex
| search typeOneData.thisDetail::*
if results are returned, typeOneData.thisDetail is viable for tstats, if no results are returned, it is not a tstats'able field name.
What I would like to do is use the **values** in TSFIELD in the map command:
| map maxsearches=20 search="search index=youridx $column$::$row$ | head 1 | eval indexed=\"$column$\" | table indexed"
where TSFIELD **values** are using in place of `$column$::$row$` and `\"$column$\"`
Any suggestions?
↧