Dashboards & Visualizations

Is it possible to hide fields from "interesting fields" once they have been aliased?

New Member

Hello! We currently index a variety of XML files that we auto-extract the fields from using XML KV. Because the XMLs are a flattened version of system files with a variety of classes/loops, the fields end up being named something like "explanation_of_benefits.member.address.zip" or something along those lines.

We created a suite of aliases to give them friendlier names when searching, but the original fields are still present, clogging up the "interesting fields" space if you search in verbose/smart mode.

Is there any way to hide these original fields? I found some old posts saying it might have been possible in v5, but once v6 came out that solution stopped working.

Thanks!

Labels (1)
0 Karma

Explorer

Long time ago now but if anyone else comes looking here's a solution

Best thing to do is in props if you're using KV_MODE=XML take that off, if you're not using KV, no worries. Then EVAL<field_name> = spath all the fields you want to keep

EG:
EVAL-ZIP = spath(_raw,'explanation_of_benefits.member.address.zip')

This will give you a field called ZIP with the value you need and no full path.

Also if you still need to get back to the full paths temporally for any reason (looking at a new field) you can just use spath again in the search head:

index=explain sourcetype=benifits | spath

This will give you all the paths in the _raw

Hope this helps someone.

0 Karma

Path Finder

the only way I got around this issue is by moving my data into another index:
after I ran this "all time" I scheduled a report with the search below, to update my "clean" index every hour for the last hour.

index=myxml sourcetype=toomanyfields
| table clean_field1 clean_field2 clean_field3

| collect index=clean sourcetype=clean_data

0 Karma

SplunkTrust
SplunkTrust

Have you tried something like ... | fields - explanation_of_benefits.* | ... ?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Hi Rich,

Unfortunately we were hoping for something that we wouldn't have to add to each search, as there are about 20-30 of these fields for each file type. But thank you for your response!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!