Skip to content
  • Stuff
  • Travel
  • Beverages
  • Support Antipaucity
  • Projects
  • About

antipaucity

fighting the lack of good ideas

a rich man’s fieldsummary

Posted on 10 January 202310 January 2023 By antipaucity

The Splunk command fieldsummary is amazing – I use it quite frequently to explore more “new” (to me) sourcetypes, and to find out about more fields than I’ve previously used in the sourcetypes I work with most.

But sometimes you want to be able to delineate more granularly than fieldsummary will allow.

Maybe you have a single sourcetype that happens to have a couple variations (Forescout CounterACT data is like this (it’s all JSON, but there are ways to distinguish events based on the field ctupdate)).

What is a Splunk user to do?

Try this:

index=ndx sourcetype=srctp <field_to_split_on>=*
| fields - _raw index sourcetype
| foreach *
    [ eval <<FIELD>> = mvindex('<<FIELD>>',0) ]
| stats latest(*) as * by <field_to_split_on>
| transpose 0 header_field=<field_to_split_on>
| rename column as field

Run this in Verbose mode over a long enough time window to capture what you want to see (at one customer, I could pick earliest=-20m and have an ample sample).

I’m removing the fields _raw, index, and sourcetype because I “know” the index and sourcetype, and _raw just isn’t that helpful in this context.

technical Tags:splunk

Post navigation

Previous Post: where should election polls be located (and why?)
Next Post: behind this website – a more-detailed checklist

More Related Articles

ron popeil never had it so good – lex>>fwd talk 04 sep 2014 insights
organizational knowledge capture, retention, and dissemination commentary
i’m surprised facebook doesn’t offer something akin to aws, gcp, azure, etc ideas
almost drr… technical
use prettypress if you’re running a wordpress blog plugin
html 5 commentary
January 2023
S M T W T F S
1234567
891011121314
15161718192021
22232425262728
293031  
« Oct   Jun »
RSS Error: WP HTTP Error: cURL error 60: SSL: no alternative certificate subject name matches target hostname 'paragraph.cf'

Books

  • Debugging and Supporting Software Systems
  • Storage Series

External

  • Backblaze
  • Cirkul
  • Fundrise
  • Great Big Purple Sign
  • Password Generator
  • PayPal
  • Tech News Channel on Telegram
  • Vultr
  • Wish List

Other Blogs

  • Abiding in Hesed
  • Chris Agocs
  • Eric Hydrick
  • Jay Loden
  • Paragraph
  • skh:tec
  • Tech News Channel on Telegram
  • Veritas Equitas

Profiles

  • LinkedIn
  • Server Fault
  • Stack Overflow
  • Super User
  • Telegram
  • Twitter

Resume

  • LinkedIn
  • Resume (PDF)

Services

  • Datente
  • IP check
  • Password Generator
  • Tech News Channel on Telegram

Support

  • Backblaze
  • Built Bar
  • Cirkul
  • Donations
  • Fundrise
  • PayPal
  • Robinhood
  • Vultr
  • Wish List

35-questions 48laws adoption automation blog blogging books business career centos cloud community documentation email encryption facebook google history how-to hpsa ifttt linux money networking politics prediction proxy review scifi security social social-media splunk ssl startup storage sun-tzu tutorial twitter virtualization vmware wordpress work writing zombie

Copyright © 2025 antipaucity.

Powered by PressBook Green WordPress theme