Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do we permanently move some interesting fields to selected fields in a clustered environment ?

splunker969
Communicator
‎03-26-2018 01:34 PM

Hi,

When I am trying to move some interesting fields to selected fields after I log out and log back in, the fields are moving back to interesting fields. Is there any chance that we can keep them permanently?
Please help.

Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-27-2018 12:24 AM

Hi splunker969,
what do you mean with "move", are you speaking of a regex or a calculated field or an alias?

If this is your situation:

  • if you're speaking of a field extraction by regex, you can save field extraction and share it;
  • if you're speaking of an alias or a calculated field you can record and share it.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-27-2018 12:24 AM

Hi splunker969,
what do you mean with "move", are you speaking of a regex or a calculated field or an alias?

If this is your situation:

  • if you're speaking of a field extraction by regex, you can save field extraction and share it;
  • if you're speaking of an alias or a calculated field you can record and share it.

Bye.
Giuseppe

Reply
Solved! Jump to solution

splunker969
Communicator
‎03-27-2018 06:08 AM

Hi Cusello ,

Thanks for answer.Actually when i search for "source type=test "I want some fields in interesting fields always show up in selected fields even if any user should see them only in selected fields means appear in selected fields any suggestions please .

Thanks,
splunker969.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-27-2018 06:30 AM

Selected fields is a user configuration, that you can find in
$SPLUNK_HOME/splunk/etc/users//user-prefs/local/ui-prefs.conf
and that's possible to modify by interface.
You can set a default user-prefs.conf that can be modified by users

the option is 

display.events.fields = ["host","source","sourcetype"]

For additional information see https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Ui-prefsconf

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

splunker969
Communicator
‎03-27-2018 06:53 AM

Thanks cusello

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...