All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

AdvancedXML EventsViewer fields

klee310
Communicator
‎04-12-2011 10:03 AM

Splunk is not recognizing my configured fields to display.

I have a TextField module for entering AccountNumber. Inside this module is Search command and an EventsViewer. Since I am searching by AccountNumber, there is absolutely no reason for the AccountNumber field to be displayed - yet it is.

I have tried using HiddenFieldSelector module, which doesn't seem to help.

I have tried using the 'field' param inside EventsViewer, but the documentation doesn't specify whether i should use comma delimited, space delimited, or whatever. Which is not to say, I haven't tried everything.

Please help

thanks in advance

Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-15-2011 11:59 AM

Klee,

I am assuming you are referring to the key=value pairings directly underneath the _raw value of each event row. I have had luck using the following syntax (I do not have any upstream FieldPicker or HiddenFieldPicker modules; which should work as well):

   <module name="EventsViewer">
       <param name="fields">* signature src src_nt_domain src_user dest dest_nt_domain user</param>
       <param name="reportFieldLink">report_builder_format_report</param>
   </module>

View solution in original post

Reply
Solved! Jump to solution

klee310
Communicator
‎04-20-2011 06:46 AM

yes hazedav, I was referring to the key=value pairings directly underneath the _raw values...

and in fact, I have found the best solution is to simply pipe my command into the fields command, and specify exactly the fields which may be displayed.

However I do have one more issue with the EventsViewer... I just can't seem to find a way to turn off those damn highlight; or even define my own (for example, with the highlight command)

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎05-26-2011 11:44 PM

You can use Firebug to find the CSS class that is lighting up the segments in EventsViewer, and then add a style rule to your application.css file to override it.

I think this will work:

.splView-your_view_name_here .EventsViewer .default .a,
.splView-your_view_name_here .EventsViewer .default .fields .v {
background:transparent;
}

0 Karma
Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-15-2011 11:59 AM

Klee,

I am assuming you are referring to the key=value pairings directly underneath the _raw value of each event row. I have had luck using the following syntax (I do not have any upstream FieldPicker or HiddenFieldPicker modules; which should work as well):

   <module name="EventsViewer">
       <param name="fields">* signature src src_nt_domain src_user dest dest_nt_domain user</param>
       <param name="reportFieldLink">report_builder_format_report</param>
   </module>
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...