Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to hide _raw from a search result?

mzorzi
Splunk Employee
Splunk Employee
‎07-06-2010 05:20 PM

The data I'm sending to my Splunk Index is made of a number of KV records. A subset of a record data looks like:

trace_event_record=v1
trace_event_valid=NO
trace_event_srv=myhost23.mydmn.net
trace_event_type=XKDopewrw$1
trace_event_location=/my/path/where/mylogs/are/javalog.log
trace_event_component_id=G08
trace_event_tags=TAG1
trace_event_timestamp=2010-07-08 06:58:00
trace_event_message= here a very long and complex message associated to this event

I would like the user to see only the content of the field trace_event_message, including the _raw output the 'Event List' Tab, but the same user should be be able to search all the other fields as well.

For example an user search could contain only the string "myhost23", but the visible set of information returned will only contain

here a very long and complex message associated to this event

and off course all the other messages from myhost23

Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎07-06-2010 05:56 PM

I think you could do what you are looking for by simply renaming your fields. Try sticking this on the end of your search:

...| rename trace_event_message as _raw

If that works how you want it to, and you don't want the user to add this every time, you could do a simple form search, or if you need some of the more advanced search features, you could build a custom search view (starting from the default flashtimeline view) that would insert the rename command into the search; but that can get tricky.

View solution in original post

Reply
Solved! Jump to solution

connyb
Engager
‎09-09-2010 11:34 AM

or if you like to do more than just selecting one field, use eval:

...| eval _raw = "[" . trace_event_valid . "] " . trace_event_message

EDIT: I just realized that for this example eval is a bit overkill, and strcat probably yields faster performance:

...| strcat "[" trace_event_valid "] " trace_event_message _raw

any of the two would give the same example result:

[NO] here a very long and complex message associated to this event
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎07-06-2010 05:56 PM

I think you could do what you are looking for by simply renaming your fields. Try sticking this on the end of your search:

...| rename trace_event_message as _raw

If that works how you want it to, and you don't want the user to add this every time, you could do a simple form search, or if you need some of the more advanced search features, you could build a custom search view (starting from the default flashtimeline view) that would insert the rename command into the search; but that can get tricky.

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...