Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to hide fields from "interesting fields" once they have been aliased?

kennethehughes
New Member
‎06-20-2019 03:19 PM

Hello! We currently index a variety of XML files that we auto-extract the fields from using XML KV. Because the XMLs are a flattened version of system files with a variety of classes/loops, the fields end up being named something like "explanation_of_benefits.member.address.zip" or something along those lines.

We created a suite of aliases to give them friendlier names when searching, but the original fields are still present, clogging up the "interesting fields" space if you search in verbose/smart mode.

Is there any way to hide these original fields? I found some old posts saying it might have been possible in v5, but once v6 came out that solution stopped working.

Thanks!

Labels (1)
Labels
0 Karma
Reply

alucarddjin
Path Finder
‎06-01-2020 06:27 AM

Long time ago now but if anyone else comes looking here's a solution

Best thing to do is in props if you're using KV_MODE=XML take that off, if you're not using KV, no worries. Then EVAL<field_name> = spath all the fields you want to keep

EG:
EVAL-ZIP = spath(_raw,'explanation_of_benefits.member.address.zip')

This will give you a field called ZIP with the value you need and no full path.

Also if you still need to get back to the full paths temporally for any reason (looking at a new field) you can just use spath again in the search head:

index=explain sourcetype=benifits | spath

This will give you all the paths in the _raw

Hope this helps someone.

0 Karma
Reply

rslama
Path Finder
‎06-21-2019 11:30 AM

the only way I got around this issue is by moving my data into another index:
after I ran this "all time" I scheduled a report with the search below, to update my "clean" index every hour for the last hour.

index=myxml sourcetype=toomanyfields
| table clean_field1 clean_field2 clean_field3

| collect index=clean sourcetype=clean_data

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-21-2019 05:51 AM

Have you tried something like ... | fields - explanation_of_benefits.* | ... ?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kennethehughes
New Member
‎06-21-2019 09:14 AM

Hi Rich,

Unfortunately we were hoping for something that we wouldn't have to add to each search, as there are about 20-30 of these fields for each file type. But thank you for your response!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...