Get Fields Defined for Multiple KVStore Collections

You already voted!

Description:

This query gets all collection titles in your instance, then runs a map function on them to get their fields from a single query. The reason this is necessary is because the API returns collection fields as columns, not values, and if you just table all fields for multiple collections, you’ll end up with a union of fields from all collections instead of each unique collection’s own defined fields.

This query assumes you have no duplicate kvstore names in apps, fields defined for the kvstores you do have, and that you have access to the REST API to run this command

Add-on’s Required:

None

Query:

| rest /servicesNS/nobody/-/storage/collections/config splunk_server=local
| table title
| map search="
| rest /servicesNS/nobody/-/storage/collections/config/$title$ splunk_server=local
| table title field.*
| foreach field.* 
[| eval fieldlist=mvappend(fieldlist, \"<<FIELD>>\")]
| eval fieldlist=mvjoin(mvmap(fieldlist, mvindex(split(fieldlist, \".\"), 1)), \",\")
| table title fieldlist"

Splunk Query Repository

Get Fields Defined for Multiple KVStore Collections

Leave A Comment? Click here to cancel reply.

Splunk Query Repository

Get Fields Defined for Multiple KVStore Collections

Related Queries

REST Call for a list of Alert actions (Webhook_sms or Email or notable or ..)

REST Call for a get details about Alert cron_schedules

List the size of lookup files with an SPL search.

Leave A Comment? Click here to cancel reply.