we are running splunk v6.6 , and i have tried just about every answer on these forums, but i can not get anything to add to the "Selected Fields" on the left hand side (beyond the stock defaults of Host,Source,Sourcetype).
see image, im trying to add "index" to where i have the red line (which should also add it below each search result, ie where the 2nd red line is).
the change that makes the most sense (but is having no effect), is this one:
add to the file:
[default] display.events.fields = ["host","index","source","sourcetype"]
And then restart splunk (i am always restarting splunk service , via splunk web gui, after each of these changes im trying).
another setting ive tried is in:
[flashtimeline:_current] FieldPicker_0_6_1.fields = host,sourcetype,source,index
however none of these having any change, ie i still always have the default Host,Source,Sourcetype.
any suggestions? thanks!
The correct answer is the first one but either a local
viewstate is overriding it (easily change by adding it once through the GUI) OR something else is overriding the setting. Check for the latter like this:
$SPLUNK_HOME/splunk/bin/splunk btool ui-prefs list --debug default | grep sourcetype
Also, this has to be deployed to ALL Search Heads.
thanks, it actually was your "Former / 1st" part, ie in search, i had to add index again via the web gui, and then it stuck for all future searches via search app. (even after restarting splunk server it stuck). FWIW, this is the grep'd output of running the command you requested:
one followup ? please:
To now add this "index" field to my previously saved reports (index is not showing currently), i would need to go to each report, and via the web gui- add index, and then save the report? (so any future manual runs of said report will now include "index" under "Selected Fields" , correct?
No, that is another setting entirely. Add this same setting in
savedsearches.conf (it can be in
display.events.fields = ["host","index","source","sourcetype"]