topic Re: Select Fields at search time in Splunk Search

Select Fields at search time

thepocketwade — Mon, 29 Mar 2010 23:43:06 GMT

I've got a field extraction defined in my props.conf, but now I want to be able to select it in a search without using the "Field Picker." I've not found anything in the documentation yet that's been helpful. Is there a way to do this that I'm missing?

Re: Select Fields at search time

dskillman — Tue, 30 Mar 2010 04:42:45 GMT

Do you know that it is being extracted correctly? Does the field/fields in your extraction return any results if you run:

field_in_question=*

If it does, you can add | fields list, your, fields, here to the end of a search. Once you add a field by clicking the Show In Results in the Field Picker you will not need to use it any more.

Re: Select Fields at search time

gkanapathy — Tue, 30 Mar 2010 12:21:55 GMT

By "select" do you just mean to use it in a search, or do you mean to have it display under the raw event in the Event Viewer GUI? If the former, you don't need to do anything, you can just use the field. If the latter, then no. Unfortunately the Event Viewer UI is not as tightly linked to the search query (and use of fields) as it could be.

Re: Select Fields at search time

thepocketwade — Tue, 30 Mar 2010 19:42:56 GMT

yeah, but piping to fields leaves me with just the fields passed to the fields command. I want to keep all the fields, but change what's "selected" and displayed below the log.

Re: Select Fields at search time

thepocketwade — Tue, 30 Mar 2010 19:43:25 GMT

I mean the latter, might the link be tightened in future versions of Splunk?

Re: Select Fields at search time

Lowell — Thu, 01 Apr 2010 22:08:21 GMT

Have you tried using the charting view instead of the default flashtimeline search view?This might give you what you are looking for. I liked how you could temporarily change your shown fields using the fields command in Splunk 3.x, but it didn't seem possible in Splunk 4, at least until I discovered this trick...

You can get to the "Advanced Charting" view from the menu or tack by tacking "charting" to the URL path.

Once your in the Advanced Charting view, you can minimize the Chart and formatting areas, and to focus on the results area. Then you can tack on your fields command to your search (something like | fields + field1 field2 ...). And now you should only see your fields in the "Events Table" results. So you can see only the fields you want, and in the order that you defined. (Unfortunately, it doesn't work for the fields shown in the "Events List" results pane, which is a pain.)