topic How to show only Certain Fields of the Events in the Search Results? in Splunk Search

How to show only Certain Fields of the Events in the Search Results?

Kyle_Brandt — Mon, 20 Dec 2010 23:25:24 GMT

How do I search and then show only show certain fields for each event?

I tried: remoteaccess host="ny-vpn" | fields Message but this seems to only restrict the fields that are listed on the left part of the page, not the actual results. I also tried ... | fields Message | fields - _* but then I only get the date.

This is for WinEventLog items sent by the light forwarder.

Re: How to show only Certain Fields of the Events in the Search Results?

maverick — Mon, 20 Dec 2010 23:52:56 GMT

Try

 remoteaccess host="ny-vpn" | fields + Message

then use the Pick Fields link on the left to pick the fields and save.

Then click the "Event Table" box-looking icon just above the results (the center one) and that should then only show the timestamp and the Message field.

Also, you can save the search and then add it to a dashboard as a "Data Table" type and, then it will ONLY show the timestamp and the Message field by default

Re: How to show only Certain Fields of the Events in the Search Results?

Ayn — Tue, 21 Dec 2010 03:12:17 GMT

You can also use the table command to have Splunk show a table containing the fields you want:

remoteaccess host="ny-vpn" | table Message