Deployment Architecture
Highlighted

add field to Selected Fields permanently (bar on left side of search results)

Path Finder

we are running splunk v6.6 , and i have tried just about every answer on these forums, but i can not get anything to add to the "Selected Fields" on the left hand side (beyond the stock defaults of Host,Source,Sourcetype).

see image, im trying to add "index" to where i have the red line (which should also add it below each search result, ie where the 2nd red line is).

alt text

the change that makes the most sense (but is having no effect), is this one:
add to the file:
C:\Program Files\Splunk\etc\users\admin\user-prefs\local\ui-prefs.conf

[default]
display.events.fields = ["host","index","source","sourcetype"]

(
from: https://answers.splunk.com/answers/634367/how-do-we-permanently-move-some-interesting-fields.html
and from: https://docs.splunk.com/Documentation/Splunk/6.4.4/Admin/Ui-prefsconf
)

And then restart splunk (i am always restarting splunk service , via splunk web gui, after each of these changes im trying).

another setting ive tried is in:
C:\Program Files\Splunk\etc\apps\search\local\viewstates.conf
to add:

[flashtimeline:_current]
FieldPicker_0_6_1.fields = host,sourcetype,source,index

(from: https://answers.splunk.com/answers/185864/selected-fields-in-fields-side-bar.html )

however none of these having any change, ie i still always have the default Host,Source,Sourcetype.

any suggestions? thanks!

Labels (1)
Tags (2)
0 Karma
Highlighted

Re: add field to Selected Fields permanently (bar on left side of search results)

Esteemed Legend

The correct answer is the first one but either a local viewstate is overriding it (easily change by adding it once through the GUI) OR something else is overriding the setting. Check for the latter like this:

$SPLUNK_HOME/splunk/bin/splunk btool ui-prefs list --debug default | grep sourcetype

Also, this has to be deployed to ALL Search Heads.

View solution in original post

0 Karma
Highlighted

Re: add field to Selected Fields permanently (bar on left side of search results)

Path Finder

thanks, it actually was your "Former / 1st" part, ie in search, i had to add index again via the web gui, and then it stuck for all future searches via search app. (even after restarting splunk server it stuck). FWIW, this is the grep'd output of running the command you requested:

c:\Program Files\Splunk\etc\system\local\ui-prefs.conf display.events.fields = ["host","index","source","sourcetype"]

one followup ? please:
To now add this "index" field to my previously saved reports (index is not showing currently), i would need to go to each report, and via the web gui- add index, and then save the report? (so any future manual runs of said report will now include "index" under "Selected Fields" , correct?
(thanks alot!)

0 Karma
Highlighted

Re: add field to Selected Fields permanently (bar on left side of search results)

Esteemed Legend

No, that is another setting entirely. Add this same setting in savedsearches.conf (it can be in [default]😞

display.events.fields = ["host","index","source","sourcetype"]
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.