Splunk Search

Selected fields in fields side bar

splunker12er
Motivator

In order to be a selected field , doest that field must exist in every events ?

Now host, source, sourcetype are the only three fields that exist by default when i fire a search query.
Is this due to that all the events indexed in splunk has/assigned with these 3 fields ?

I see viewstates.conf files to set the seleted fields . Is the below file in the mentioned path is responsible for this ?

Path : opt/splunk/share/splunk/app_templates/sample_app/default/viewstates.conf

[flashtimeline:fwk4471e]
Count_0_7_1.count = 10
DataOverlay_0_12_0.dataOverlayMode = none
DataOverlay_1_13_0.dataOverlayMode = none
FieldPicker_0_6_1.fields = host sourcetype source
FieldPicker_0_6_1.sidebarDisplay = True
MaxLines_0_13_0.maxLines = 10
RowNumbers_0_12_0.displayRowNumbers = true
RowNumbers_1_11_0.displayRowNumbers = true
RowNumbers_2_12_0.displayRowNumbers = true
Segmentation_0_14_0.segmentation = inner
SoftWrap_0_11_0.enable = True
0 Karma

hsesterhenn
Path Finder

Hi,

in addition to martin's answer:

No, a field must not necessarily exist in every event. If it's there, you see it in the line under the event even if the event view is not expanded.

If you want to see only events with this field you can type "fieldname=*" in the search or click on the field in the list of "interesting fields" and select "only events with this field" which adds this attribute to the search.

But beware this can slow down your search.

HTH,

Holger

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Selected fields are selected because you selected them... 😄

Click a field in the side bar and click the Selected: Yes button in the top right corner of the popup.
Underneath that gets stored in $SPLUNK_HOME/etc/users///local/ui-prefs.conf:

[<app>]
display.events.fields = ["host","source","sourcetype","component"]

I'm sure you can set that in the apps structure as well for all users using that app.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...