antipaucity

fighting the lack of good ideas

a rich man’s fieldsummary

The Splunk command fieldsummary is amazing – I use it quite frequently to explore more “new” (to me) sourcetypes, and to find out about more fields than I’ve previously used in the sourcetypes I work with most.

But sometimes you want to be able to delineate more granularly than fieldsummary will allow.

Maybe you have a single sourcetype that happens to have a couple variations (Forescout CounterACT data is like this (it’s all JSON, but there are ways to distinguish events based on the field ctupdate)).

What is a Splunk user to do?

Try this:

index=ndx sourcetype=srctp <field_to_split_on>=*
| fields - _raw index sourcetype
| foreach *
    [ eval <<FIELD>> = mvindex('<<FIELD>>',0) ]
| stats latest(*) as * by <field_to_split_on>
| transpose 0 header_field=<field_to_split_on>
| rename column as field

Run this in Verbose mode over a long enough time window to capture what you want to see (at one customer, I could pick earliest=-20m and have an ample sample).

I’m removing the fields _raw, index, and sourcetype because I “know” the index and sourcetype, and _raw just isn’t that helpful in this context.