All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

AdvancedXML EventsViewer fields

klee310
Communicator
‎04-12-2011 10:03 AM

Splunk is not recognizing my configured fields to display.

I have a TextField module for entering AccountNumber. Inside this module is Search command and an EventsViewer. Since I am searching by AccountNumber, there is absolutely no reason for the AccountNumber field to be displayed - yet it is.

I have tried using HiddenFieldSelector module, which doesn't seem to help.

I have tried using the 'field' param inside EventsViewer, but the documentation doesn't specify whether i should use comma delimited, space delimited, or whatever. Which is not to say, I haven't tried everything.

Please help

thanks in advance

Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-15-2011 11:59 AM

Klee,

I am assuming you are referring to the key=value pairings directly underneath the _raw value of each event row. I have had luck using the following syntax (I do not have any upstream FieldPicker or HiddenFieldPicker modules; which should work as well):

   <module name="EventsViewer">
       <param name="fields">* signature src src_nt_domain src_user dest dest_nt_domain user</param>
       <param name="reportFieldLink">report_builder_format_report</param>
   </module>

View solution in original post

Reply
Solved! Jump to solution

klee310
Communicator
‎04-20-2011 06:46 AM

yes hazedav, I was referring to the key=value pairings directly underneath the _raw values...

and in fact, I have found the best solution is to simply pipe my command into the fields command, and specify exactly the fields which may be displayed.

However I do have one more issue with the EventsViewer... I just can't seem to find a way to turn off those damn highlight; or even define my own (for example, with the highlight command)

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎05-26-2011 11:44 PM

You can use Firebug to find the CSS class that is lighting up the segments in EventsViewer, and then add a style rule to your application.css file to override it.

I think this will work:

.splView-your_view_name_here .EventsViewer .default .a,
.splView-your_view_name_here .EventsViewer .default .fields .v {
background:transparent;
}

0 Karma
Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-15-2011 11:59 AM

Klee,

I am assuming you are referring to the key=value pairings directly underneath the _raw value of each event row. I have had luck using the following syntax (I do not have any upstream FieldPicker or HiddenFieldPicker modules; which should work as well):

   <module name="EventsViewer">
       <param name="fields">* signature src src_nt_domain src_user dest dest_nt_domain user</param>
       <param name="reportFieldLink">report_builder_format_report</param>
   </module>
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...