Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to hide fields from "interesting fields" once they have been aliased?

kennethehughes
New Member
‎06-20-2019 03:19 PM

Hello! We currently index a variety of XML files that we auto-extract the fields from using XML KV. Because the XMLs are a flattened version of system files with a variety of classes/loops, the fields end up being named something like "explanation_of_benefits.member.address.zip" or something along those lines.

We created a suite of aliases to give them friendlier names when searching, but the original fields are still present, clogging up the "interesting fields" space if you search in verbose/smart mode.

Is there any way to hide these original fields? I found some old posts saying it might have been possible in v5, but once v6 came out that solution stopped working.

Thanks!

Labels (1)
Labels
0 Karma
Reply

alucarddjin
Path Finder
‎06-01-2020 06:27 AM

Long time ago now but if anyone else comes looking here's a solution

Best thing to do is in props if you're using KV_MODE=XML take that off, if you're not using KV, no worries. Then EVAL<field_name> = spath all the fields you want to keep

EG:
EVAL-ZIP = spath(_raw,'explanation_of_benefits.member.address.zip')

This will give you a field called ZIP with the value you need and no full path.

Also if you still need to get back to the full paths temporally for any reason (looking at a new field) you can just use spath again in the search head:

index=explain sourcetype=benifits | spath

This will give you all the paths in the _raw

Hope this helps someone.

0 Karma
Reply

rslama
Path Finder
‎06-21-2019 11:30 AM

the only way I got around this issue is by moving my data into another index:
after I ran this "all time" I scheduled a report with the search below, to update my "clean" index every hour for the last hour.

index=myxml sourcetype=toomanyfields
| table clean_field1 clean_field2 clean_field3

| collect index=clean sourcetype=clean_data

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-21-2019 05:51 AM

Have you tried something like ... | fields - explanation_of_benefits.* | ... ?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kennethehughes
New Member
‎06-21-2019 09:14 AM

Hi Rich,

Unfortunately we were hoping for something that we wouldn't have to add to each search, as there are about 20-30 of these fields for each file type. But thank you for your response!

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...