The Splunk command
fieldsummary is amazing – I use it quite frequently to explore more “new” (to me) sourcetypes, and to find out about more fields than I’ve previously used in the sourcetypes I work with most.
But sometimes you want to be able to delineate more granularly than
fieldsummary will allow.
Maybe you have a single sourcetype that happens to have a couple variations (Forescout CounterACT data is like this (it’s all JSON, but there are ways to distinguish events based on the field
What is a Splunk user to do?
index=ndx sourcetype=srctp <field_to_split_on>=* | fields - _raw index sourcetype | foreach * [ eval <<FIELD>> = mvindex('<<FIELD>>',0) ] | stats latest(*) as * by <field_to_split_on> | transpose 0 header_field=<field_to_split_on> | rename column as field
Run this in Verbose mode over a long enough time window to capture what you want to see (at one customer, I could pick
earliest=-20m and have an ample sample).
I’m removing the fields
sourcetype because I “know” the index and sourcetype, and
_raw just isn’t that helpful in this context.