All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

AdvancedXML EventsViewer fields

klee310
Communicator
‎04-12-2011 10:03 AM

Splunk is not recognizing my configured fields to display.

I have a TextField module for entering AccountNumber. Inside this module is Search command and an EventsViewer. Since I am searching by AccountNumber, there is absolutely no reason for the AccountNumber field to be displayed - yet it is.

I have tried using HiddenFieldSelector module, which doesn't seem to help.

I have tried using the 'field' param inside EventsViewer, but the documentation doesn't specify whether i should use comma delimited, space delimited, or whatever. Which is not to say, I haven't tried everything.

Please help

thanks in advance

Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-15-2011 11:59 AM

Klee,

I am assuming you are referring to the key=value pairings directly underneath the _raw value of each event row. I have had luck using the following syntax (I do not have any upstream FieldPicker or HiddenFieldPicker modules; which should work as well):

   <module name="EventsViewer">
       <param name="fields">* signature src src_nt_domain src_user dest dest_nt_domain user</param>
       <param name="reportFieldLink">report_builder_format_report</param>
   </module>

View solution in original post

Reply
Solved! Jump to solution

klee310
Communicator
‎04-20-2011 06:46 AM

yes hazedav, I was referring to the key=value pairings directly underneath the _raw values...

and in fact, I have found the best solution is to simply pipe my command into the fields command, and specify exactly the fields which may be displayed.

However I do have one more issue with the EventsViewer... I just can't seem to find a way to turn off those damn highlight; or even define my own (for example, with the highlight command)

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎05-26-2011 11:44 PM

You can use Firebug to find the CSS class that is lighting up the segments in EventsViewer, and then add a style rule to your application.css file to override it.

I think this will work:

.splView-your_view_name_here .EventsViewer .default .a,
.splView-your_view_name_here .EventsViewer .default .fields .v {
background:transparent;
}

0 Karma
Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-15-2011 11:59 AM

Klee,

I am assuming you are referring to the key=value pairings directly underneath the _raw value of each event row. I have had luck using the following syntax (I do not have any upstream FieldPicker or HiddenFieldPicker modules; which should work as well):

   <module name="EventsViewer">
       <param name="fields">* signature src src_nt_domain src_user dest dest_nt_domain user</param>
       <param name="reportFieldLink">report_builder_format_report</param>
   </module>
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...