Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why does the search query does not show host, source, and sourcetype below each event?

neerajshah81
Path Finder
‎07-11-2018 08:49 AM

Hi, I am taking Splunk Fundamentals course and during one of the lab exercises related to performing a search operation i noticed that my output of search query does not show the common fields like "host, source and source type" below each event , which are normally supposed to be extracted by default. My question is not about lab manual. Basically, i am curious as in What is making splunk to not show these 3 fields? I am using the exact query that is listed in the manual. Please refer to below screenshots.

My output ( which doesn't show those 3 fields)
alt text

Expected output as shown in the lab manual :

alt text

Preview file
85 KB
Preview file
56 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-11-2018 09:18 AM

Hi @neerajshah81,

The default fields displayed with the event is decided by the user "Selected Fields" which is normally shown on the left panel under "Selected fields" and on basis of the user selection - expanding the event and select the fields manually(selecting checkbox). Configuration setting is stored in ui-prefs.conf of the user ie. splunk\etc\users\"user_name"\search\local\ui-prefs.conf

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-11-2018 09:18 AM

Hi @neerajshah81,

The default fields displayed with the event is decided by the user "Selected Fields" which is normally shown on the left panel under "Selected fields" and on basis of the user selection - expanding the event and select the fields manually(selecting checkbox). Configuration setting is stored in ui-prefs.conf of the user ie. splunk\etc\users\"user_name"\search\local\ui-prefs.conf

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-11-2018 09:01 AM

The in-line callout of fields and values happens for selected fields. To select a field, click on the All Fields link to get a field selector. Click on the checkbox to the left of whichever fields you would like Selected. Then click the Done button. You will see a new Selected Fields section above your existing Interesting Fields section and your in-line callouts should be there, too. These settings are somewhat sticky and I believe related to the neglected/no-longer-really-supported viewstates feature of Splunk.

Reply
Solved! Jump to solution

neerajshah81
Path Finder
‎07-11-2018 11:45 AM

Thank you woodcock & Renjith.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-11-2018 02:58 PM

Up-Votes appreciated.

0 Karma
Reply
Solved! Jump to solution

neerajshah81
Path Finder
‎07-11-2018 05:51 PM

Granted. Sorry getting used to splunk forums.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...