Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to hide _raw from a search result?

mzorzi
Splunk Employee
Splunk Employee
‎07-06-2010 05:20 PM

The data I'm sending to my Splunk Index is made of a number of KV records. A subset of a record data looks like:

trace_event_record=v1
trace_event_valid=NO
trace_event_srv=myhost23.mydmn.net
trace_event_type=XKDopewrw$1
trace_event_location=/my/path/where/mylogs/are/javalog.log
trace_event_component_id=G08
trace_event_tags=TAG1
trace_event_timestamp=2010-07-08 06:58:00
trace_event_message= here a very long and complex message associated to this event

I would like the user to see only the content of the field trace_event_message, including the _raw output the 'Event List' Tab, but the same user should be be able to search all the other fields as well.

For example an user search could contain only the string "myhost23", but the visible set of information returned will only contain

here a very long and complex message associated to this event

and off course all the other messages from myhost23

Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎07-06-2010 05:56 PM

I think you could do what you are looking for by simply renaming your fields. Try sticking this on the end of your search:

...| rename trace_event_message as _raw

If that works how you want it to, and you don't want the user to add this every time, you could do a simple form search, or if you need some of the more advanced search features, you could build a custom search view (starting from the default flashtimeline view) that would insert the rename command into the search; but that can get tricky.

View solution in original post

Reply
Solved! Jump to solution

connyb
Engager
‎09-09-2010 11:34 AM

or if you like to do more than just selecting one field, use eval:

...| eval _raw = "[" . trace_event_valid . "] " . trace_event_message

EDIT: I just realized that for this example eval is a bit overkill, and strcat probably yields faster performance:

...| strcat "[" trace_event_valid "] " trace_event_message _raw

any of the two would give the same example result:

[NO] here a very long and complex message associated to this event
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎07-06-2010 05:56 PM

I think you could do what you are looking for by simply renaming your fields. Try sticking this on the end of your search:

...| rename trace_event_message as _raw

If that works how you want it to, and you don't want the user to add this every time, you could do a simple form search, or if you need some of the more advanced search features, you could build a custom search view (starting from the default flashtimeline view) that would insert the rename command into the search; but that can get tricky.

Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...