I am a new user to Splunk Enterprise and have a basic question on how Splunk parses and displays data.
I am feeding a few .csv files (timestamp, kv pair) as my input. I was hoping that Splunk would automatically detect the "key" and show it as a field on the right hand side (under Interesting Fields). And that's what is happening for the most part, but it is also appending a value with _. e.g. One of the fields is ProductType and it can appear as ProductType=abc, or ProductType=cde or ProductType=xyz.
What I have noticed is that if there is only one iteration of ProductType=abc and multiple iterations of other two, Splunk will show "ProductType_abc" under "Interesting Fields". But, when I click on it, it does show all three so I can still sort.
I learned that we can change config files, and also pre-define source fields, but my access is pretty locked down and don't have direct access to config/sys data. Is there anything I can do in my source file that will make Splunk show just the "Keys" under Interesting fields and not club them with any of the values?
... View more