Deployment Architecture

How do we permanently move some interesting fields to selected fields in a clustered environment ?

splunker969
Communicator

Hi,

When I am trying to move some interesting fields to selected fields after I log out and log back in, the fields are moving back to interesting fields. Is there any chance that we can keep them permanently?
Please help.

1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi splunker969,
what do you mean with "move", are you speaking of a regex or a calculated field or an alias?

If this is your situation:

  • if you're speaking of a field extraction by regex, you can save field extraction and share it;
  • if you're speaking of an alias or a calculated field you can record and share it.

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi splunker969,
what do you mean with "move", are you speaking of a regex or a calculated field or an alias?

If this is your situation:

  • if you're speaking of a field extraction by regex, you can save field extraction and share it;
  • if you're speaking of an alias or a calculated field you can record and share it.

Bye.
Giuseppe

splunker969
Communicator

Hi Cusello ,

Thanks for answer.Actually when i search for "source type=test "I want some fields in interesting fields always show up in selected fields even if any user should see them only in selected fields means appear in selected fields any suggestions please .

Thanks,
splunker969.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Selected fields is a user configuration, that you can find in
$SPLUNK_HOME/splunk/etc/users//user-prefs/local/ui-prefs.conf
and that's possible to modify by interface.
You can set a default user-prefs.conf that can be modified by users

the option is

display.events.fields = ["host","source","sourcetype"]

For additional information see https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Ui-prefsconf

Bye.
Giuseppe

0 Karma

splunker969
Communicator

Thanks cusello

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...