Splunk is not recognizing my configured fields to display.
I have a TextField module for entering AccountNumber. Inside this module is Search command and an EventsViewer. Since I am searching by AccountNumber, there is absolutely no reason for the AccountNumber field to be displayed - yet it is.
I have tried using HiddenFieldSelector module, which doesn't seem to help.
I have tried using the 'field' param inside EventsViewer, but the documentation doesn't specify whether i should use comma delimited, space delimited, or whatever. Which is not to say, I haven't tried everything.
Please help
thanks in advance
Klee,
I am assuming you are referring to the key=value pairings directly underneath the _raw value of each event row. I have had luck using the following syntax (I do not have any upstream FieldPicker or HiddenFieldPicker modules; which should work as well):
<module name="EventsViewer">
<param name="fields">* signature src src_nt_domain src_user dest dest_nt_domain user</param>
<param name="reportFieldLink">report_builder_format_report</param>
</module>
yes hazedav, I was referring to the key=value pairings directly underneath the _raw values...
and in fact, I have found the best solution is to simply pipe my command into the fields command, and specify exactly the fields which may be displayed.
However I do have one more issue with the EventsViewer... I just can't seem to find a way to turn off those damn highlight; or even define my own (for example, with the highlight command)
You can use Firebug to find the CSS class that is lighting up the segments in EventsViewer, and then add a style rule to your application.css file to override it.
I think this will work:
.splView-your_view_name_here .EventsViewer .default .a,
.splView-your_view_name_here .EventsViewer .default .fields .v {
background:transparent;
}
Klee,
I am assuming you are referring to the key=value pairings directly underneath the _raw value of each event row. I have had luck using the following syntax (I do not have any upstream FieldPicker or HiddenFieldPicker modules; which should work as well):
<module name="EventsViewer">
<param name="fields">* signature src src_nt_domain src_user dest dest_nt_domain user</param>
<param name="reportFieldLink">report_builder_format_report</param>
</module>