In order to be a selected field , doest that field must exist in every events ?
Now host, source, sourcetype are the only three fields that exist by default when i fire a search query.
Is this due to that all the events indexed in splunk has/assigned with these 3 fields ?
I see viewstates.conf files to set the seleted fields . Is the below file in the mentioned path is responsible for this ?
Path : opt/splunk/share/splunk/apptemplates/sampleapp/default/viewstates.conf
[flashtimeline:fwk4471e] Count_0_7_1.count = 10 DataOverlay_0_12_0.dataOverlayMode = none DataOverlay_1_13_0.dataOverlayMode = none FieldPicker_0_6_1.fields = host sourcetype source FieldPicker_0_6_1.sidebarDisplay = True MaxLines_0_13_0.maxLines = 10 RowNumbers_0_12_0.displayRowNumbers = true RowNumbers_1_11_0.displayRowNumbers = true RowNumbers_2_12_0.displayRowNumbers = true Segmentation_0_14_0.segmentation = inner SoftWrap_0_11_0.enable = True
Selected fields are selected because you selected them... 😄
Click a field in the side bar and click the
Selected: Yes button in the top right corner of the popup.
Underneath that gets stored in
[<app>] display.events.fields = ["host","source","sourcetype","component"]
I'm sure you can set that in the apps structure as well for all users using that app.
in addition to martin's answer:
No, a field must not necessarily exist in every event. If it's there, you see it in the line under the event even if the event view is not expanded.
If you want to see only events with this field you can type "fieldname=*" in the search or click on the field in the list of "interesting fields" and select "only events with this field" which adds this attribute to the search.
But beware this can slow down your search.