All Apps and Add-ons

AdvancedXML EventsViewer fields

klee310
Communicator

Splunk is not recognizing my configured fields to display.

I have a TextField module for entering AccountNumber. Inside this module is Search command and an EventsViewer. Since I am searching by AccountNumber, there is absolutely no reason for the AccountNumber field to be displayed - yet it is.

I have tried using HiddenFieldSelector module, which doesn't seem to help.

I have tried using the 'field' param inside EventsViewer, but the documentation doesn't specify whether i should use comma delimited, space delimited, or whatever. Which is not to say, I haven't tried everything.

Please help

thanks in advance

1 Solution

hazekamp
Builder

Klee,

I am assuming you are referring to the key=value pairings directly underneath the _raw value of each event row. I have had luck using the following syntax (I do not have any upstream FieldPicker or HiddenFieldPicker modules; which should work as well):

   <module name="EventsViewer">
       <param name="fields">* signature src src_nt_domain src_user dest dest_nt_domain user</param>
       <param name="reportFieldLink">report_builder_format_report</param>
   </module>

View solution in original post

klee310
Communicator

yes hazedav, I was referring to the key=value pairings directly underneath the _raw values...

and in fact, I have found the best solution is to simply pipe my command into the fields command, and specify exactly the fields which may be displayed.

However I do have one more issue with the EventsViewer... I just can't seem to find a way to turn off those damn highlight; or even define my own (for example, with the highlight command)

0 Karma

sideview
SplunkTrust
SplunkTrust

You can use Firebug to find the CSS class that is lighting up the segments in EventsViewer, and then add a style rule to your application.css file to override it.

I think this will work:

.splView-your_view_name_here .EventsViewer .default .a,
.splView-your_view_name_here .EventsViewer .default .fields .v {
background:transparent;
}

0 Karma

hazekamp
Builder

Klee,

I am assuming you are referring to the key=value pairings directly underneath the _raw value of each event row. I have had luck using the following syntax (I do not have any upstream FieldPicker or HiddenFieldPicker modules; which should work as well):

   <module name="EventsViewer">
       <param name="fields">* signature src src_nt_domain src_user dest dest_nt_domain user</param>
       <param name="reportFieldLink">report_builder_format_report</param>
   </module>
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...