Deployment Architecture

add field to Selected Fields permanently (bar on left side of search results)

spunk311z
Path Finder

we are running splunk v6.6 , and i have tried just about every answer on these forums, but i can not get anything to add to the "Selected Fields" on the left hand side (beyond the stock defaults of Host,Source,Sourcetype).

see image, im trying to add "index" to where i have the red line (which should also add it below each search result, ie where the 2nd red line is).

alt text

the change that makes the most sense (but is having no effect), is this one:
add to the file:
C:\Program Files\Splunk\etc\users\admin\user-prefs\local\ui-prefs.conf

[default]
display.events.fields = ["host","index","source","sourcetype"]

(
from: https://answers.splunk.com/answers/634367/how-do-we-permanently-move-some-interesting-fields.html
and from: https://docs.splunk.com/Documentation/Splunk/6.4.4/Admin/Ui-prefsconf
)

And then restart splunk (i am always restarting splunk service , via splunk web gui, after each of these changes im trying).

another setting ive tried is in:
C:\Program Files\Splunk\etc\apps\search\local\viewstates.conf
to add:

[flashtimeline:_current]
FieldPicker_0_6_1.fields = host,sourcetype,source,index

(from: https://answers.splunk.com/answers/185864/selected-fields-in-fields-side-bar.html )

however none of these having any change, ie i still always have the default Host,Source,Sourcetype.

any suggestions? thanks!

Labels (1)
Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

The correct answer is the first one but either a local viewstate is overriding it (easily change by adding it once through the GUI) OR something else is overriding the setting. Check for the latter like this:

$SPLUNK_HOME/splunk/bin/splunk btool ui-prefs list --debug default | grep sourcetype

Also, this has to be deployed to ALL Search Heads.

View solution in original post

whrg
Motivator

I was having the same issue: Moving the "index" field to the selected field list for all users.

I was testing various config files and settings. This is the one which solved the issue for me:

/opt/splunk/etc/apps/myapp/default/ui-prefs.conf 
[default]
display.events.fields = ["host","index","source","sourcetype"]

(system/local/ui-prefs.conf should work as well.)

Now it is important to note that if a user had already changed his selected fields prior to this change, then the user preferences ( /opt/splunk/etc/users/your_user/search/local/ui-prefs.conf) will override the global setting above and thus the "index" field might not display under selected fields. Regardless, it will work for newly created users and users who haven't changed their selected fields yet.

0 Karma

woodcock
Esteemed Legend

The correct answer is the first one but either a local viewstate is overriding it (easily change by adding it once through the GUI) OR something else is overriding the setting. Check for the latter like this:

$SPLUNK_HOME/splunk/bin/splunk btool ui-prefs list --debug default | grep sourcetype

Also, this has to be deployed to ALL Search Heads.

spunk311z
Path Finder

thanks, it actually was your "Former / 1st" part, ie in search, i had to add index again via the web gui, and then it stuck for all future searches via search app. (even after restarting splunk server it stuck). FWIW, this is the grep'd output of running the command you requested:

c:\Program Files\Splunk\etc\system\local\ui-prefs.conf display.events.fields = ["host","index","source","sourcetype"]

one followup ? please:
To now add this "index" field to my previously saved reports (index is not showing currently), i would need to go to each report, and via the web gui- add index, and then save the report? (so any future manual runs of said report will now include "index" under "Selected Fields" , correct?
(thanks alot!)

0 Karma

woodcock
Esteemed Legend

No, that is another setting entirely. Add this same setting in savedsearches.conf (it can be in [default]😞

display.events.fields = ["host","index","source","sourcetype"]
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...