How do I hide a value from field in Splunk from li...

AbhinavRanjan · ‎09-18-2022

I have two values in a field source, I need to hide one i.e., http:kafka

AbhinavRanjan · ‎09-18-2022

@gcusello query I am using

|table _time,cluster_name,namespaceName,podName,policyName,message, severity,action,tags,resource,source,

gcusello · ‎09-18-2022

Hi @AbhinavRanjan,

how dinamic data source fields are generated?

is it possible for you to use a different name?

if not you have to manipulate your multivalue to always take the first or the second, something like this:

...
| eval source=mvindex(source,0)
| table _time,cluster_name,namespaceName,podName,policyName,message, severity,action,tags,resource,source,

Ciao.

Giuseppe

AbhinavRanjan · ‎09-18-2022

@gcusello

I have two source fields, One from the Splunk configuration(static throughout) and another from the logs which I am forwarding(dynamic data) , both are getting merged into a single field.

I just want to hide the configuration data, i.e http:kafka here from the source

AbhinavRanjan · ‎09-18-2022

I have two source fields, One from the Splunk configuration(static throughout) and another from the logs which I am forwarding(dynamic data) , both are getting merged into a single field.

I just want to hide the configuration data, i.e http:kafka here from the source

gcusello · ‎09-18-2022

Hi @AbhinavRanjan,

every event has one source value, so probably you're speaking of a search result aggregating more values from many events, probably in a stats command using the list option,

could you share your search?

Anyway, if you're speaking of a value from a stats command, use first or last or values instead of list option.

Ciao.

Giuseppe

How do I hide a value from field in Splunk from list of two values?

field extraction

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!