Deployment Architecture

How do we permanently move some interesting fields to selected fields in a clustered environment ?

Communicator

Hi,

When I am trying to move some interesting fields to selected fields after I log out and log back in, the fields are moving back to interesting fields. Is there any chance that we can keep them permanently?
Please help.

1 Solution

Legend

Hi splunker969,
what do you mean with "move", are you speaking of a regex or a calculated field or an alias?

If this is your situation:

  • if you're speaking of a field extraction by regex, you can save field extraction and share it;
  • if you're speaking of an alias or a calculated field you can record and share it.

Bye.
Giuseppe

View solution in original post

Legend

Hi splunker969,
what do you mean with "move", are you speaking of a regex or a calculated field or an alias?

If this is your situation:

  • if you're speaking of a field extraction by regex, you can save field extraction and share it;
  • if you're speaking of an alias or a calculated field you can record and share it.

Bye.
Giuseppe

View solution in original post

Communicator

Hi Cusello ,

Thanks for answer.Actually when i search for "source type=test "I want some fields in interesting fields always show up in selected fields even if any user should see them only in selected fields means appear in selected fields any suggestions please .

Thanks,
splunker969.

0 Karma

Legend

Selected fields is a user configuration, that you can find in
$SPLUNK_HOME/splunk/etc/users//user-prefs/local/ui-prefs.conf
and that's possible to modify by interface.
You can set a default user-prefs.conf that can be modified by users

the option is

display.events.fields = ["host","source","sourcetype"]

For additional information see https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Ui-prefsconf

Bye.
Giuseppe

0 Karma

Communicator

Thanks cusello

0 Karma