All Apps and Add-ons

AdvancedXML EventsViewer fields

Communicator

Splunk is not recognizing my configured fields to display.

I have a TextField module for entering AccountNumber. Inside this module is Search command and an EventsViewer. Since I am searching by AccountNumber, there is absolutely no reason for the AccountNumber field to be displayed - yet it is.

I have tried using HiddenFieldSelector module, which doesn't seem to help.

I have tried using the 'field' param inside EventsViewer, but the documentation doesn't specify whether i should use comma delimited, space delimited, or whatever. Which is not to say, I haven't tried everything.

Please help

thanks in advance

1 Solution

Builder

Klee,

I am assuming you are referring to the key=value pairings directly underneath the _raw value of each event row. I have had luck using the following syntax (I do not have any upstream FieldPicker or HiddenFieldPicker modules; which should work as well):

   <module name="EventsViewer">
       <param name="fields">* signature src src_nt_domain src_user dest dest_nt_domain user</param>
       <param name="reportFieldLink">report_builder_format_report</param>
   </module>

View solution in original post

Communicator

yes hazedav, I was referring to the key=value pairings directly underneath the _raw values...

and in fact, I have found the best solution is to simply pipe my command into the fields command, and specify exactly the fields which may be displayed.

However I do have one more issue with the EventsViewer... I just can't seem to find a way to turn off those damn highlight; or even define my own (for example, with the highlight command)

0 Karma

SplunkTrust
SplunkTrust

You can use Firebug to find the CSS class that is lighting up the segments in EventsViewer, and then add a style rule to your application.css file to override it.

I think this will work:

.splView-your_view_name_here .EventsViewer .default .a,
.splView-your_view_name_here .EventsViewer .default .fields .v {
background:transparent;
}

0 Karma

Builder

Klee,

I am assuming you are referring to the key=value pairings directly underneath the _raw value of each event row. I have had luck using the following syntax (I do not have any upstream FieldPicker or HiddenFieldPicker modules; which should work as well):

   <module name="EventsViewer">
       <param name="fields">* signature src src_nt_domain src_user dest dest_nt_domain user</param>
       <param name="reportFieldLink">report_builder_format_report</param>
   </module>

View solution in original post