Solved: Sideview Utils: Can the events module be configure...

chris_thuys · ‎01-13-2015

I want to only show fields in the events module is this possible ?

sideview · ‎01-21-2015

By configuring the "Events" module specifically, no.

But "yes" -- just by putting | fields - _raw into the search language. The Events module is perfectly happy to display only the fields and not the raw text.

if you're already using a Search module you can just tack | fields - _raw onto the end of the search in there.

On the other hand if you're not using a Search module, well with Sideview Utils, odds are that you're relying on legacy features in Splunk's SearchBar module. If I'm right and you are using a SearchBar in this way, it's still easy to add a Search module though, and here's the general idea.

 <module name="SearchBar">
   <module name="Search">
     <param name="search">$searchBar$ | fields - _raw</param>
     <module name="Events">
       <param name="resizeMode">fixed</param>
       <param name="height">500px</param>
    </module>
  </module>
</module>

View solution in original post

sideview · ‎01-21-2015

By configuring the "Events" module specifically, no.

But "yes" -- just by putting | fields - _raw into the search language. The Events module is perfectly happy to display only the fields and not the raw text.

if you're already using a Search module you can just tack | fields - _raw onto the end of the search in there.

On the other hand if you're not using a Search module, well with Sideview Utils, odds are that you're relying on legacy features in Splunk's SearchBar module. If I'm right and you are using a SearchBar in this way, it's still easy to add a Search module though, and here's the general idea.

 <module name="SearchBar">
   <module name="Search">
     <param name="search">$searchBar$ | fields - _raw</param>
     <module name="Events">
       <param name="resizeMode">fixed</param>
       <param name="height">500px</param>
    </module>
  </module>
</module>

chris_thuys · ‎01-21-2015

That worked. The only issue I have now is that the fields are not using the full width of the panel. In my case only about half the width. Can the width of the field columns be adjusted somehow?

sideview · ‎01-22-2015

That's strange. I assume you mean because the field list is wrapping to 2 or more lines? If so my guess is that when the HTML calculates how much space is to the right, including the margin around the field display elements, it concludes that there's not enough space and wraps them. If you poke at it in Firebug and reduce the margins experimentally, it may be just a few pixels away from all fitting, and you could override the CSS with some custom CSS in your app, possibly also making use of the "cssClass" attribute on the Events module? Kind of a lot of "ifs" there though.

fdi01 · ‎01-13-2015

try
... ...| table *
return all fields in the events module

sideview · ‎01-21-2015

Well this wouldn't actually filter out the _raw field, which is the "event text". Also the events module only ever gets the "events", ie the rows of key value pairs at the last streaming non-transforming search command. The table command is a transforming command, so technically just after the | table *, you can only get those rows by requesting the "results" from the splunk API, not the "events". Yes this is weirdly technical and unintuitive, but important to understand the interrelation of all the various splunk UI's with the underlying search results.

Sideview Utils: Can the events module be configured to only show the fields selected and not the _raw events?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...