Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to stop index extraction fields displaying on the search head??

BuzzLights10
Explorer
‎06-01-2021 05:59 AM

Hello Community,

I want to remove a select few fields which are extracted by default like punct, splunkserver, etc. 

By remove, I mean I do not want these fields to be displayed when I search for data in these indexes on the Search head. 
I went through many posts but could not find anything appropriate as to how this can be achieved in the back end. Maybe I am missing something on the props or fields.conf files??

Any help is appreciated!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2021 10:49 AM

I'm not aware of any way to control what is displayed in the "Interesting fields" area.  We can use the fields command to control what is displayed in search results, of course.

---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-01-2021 06:27 AM

If you run your searches in Fast Mode then Splunk will not perform search-time extractions.

For index-time extractions, the only one you can disable (AFAIK) is punct.  Use the ANNOTATE_PUNCT=false setting in props.conf to do that.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

BuzzLights10
Explorer
‎06-04-2021 09:37 AM

Hi @richgalloway 

Thank you for the reply . On some data sets when I need to see the detailed list of fields or to only see the fields i've manually extracted(basically running in smart or verbose)...is there any way to not display these default fields then??

Thanks again!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...