Selected fields in fields side bar


In order to be a selected field , doest that field must exist in every events ?

Now host, source, sourcetype are the only three fields that exist by default when i fire a search query.
Is this due to that all the events indexed in splunk has/assigned with these 3 fields ?

I see viewstates.conf files to set the seleted fields . Is the below file in the mentioned path is responsible for this ?

Path : opt/splunk/share/splunk/app_templates/sample_app/default/viewstates.conf

Count_0_7_1.count = 10
DataOverlay_0_12_0.dataOverlayMode = none
DataOverlay_1_13_0.dataOverlayMode = none
FieldPicker_0_6_1.fields = host sourcetype source
FieldPicker_0_6_1.sidebarDisplay = True
MaxLines_0_13_0.maxLines = 10
RowNumbers_0_12_0.displayRowNumbers = true
RowNumbers_1_11_0.displayRowNumbers = true
RowNumbers_2_12_0.displayRowNumbers = true
Segmentation_0_14_0.segmentation = inner
SoftWrap_0_11_0.enable = True
0 Karma

Path Finder


in addition to martin's answer:

No, a field must not necessarily exist in every event. If it's there, you see it in the line under the event even if the event view is not expanded.

If you want to see only events with this field you can type "fieldname=*" in the search or click on the field in the list of "interesting fields" and select "only events with this field" which adds this attribute to the search.

But beware this can slow down your search.



0 Karma


Selected fields are selected because you selected them... 😄

Click a field in the side bar and click the Selected: Yes button in the top right corner of the popup.
Underneath that gets stored in $SPLUNK_HOME/etc/users///local/ui-prefs.conf:

[<app>] = ["host","source","sourcetype","component"]

I'm sure you can set that in the apps structure as well for all users using that app.