Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does the search query does not show host, source, and sourcetype below each event?

neerajshah81
Path Finder
‎07-11-2018 08:49 AM

Hi, I am taking Splunk Fundamentals course and during one of the lab exercises related to performing a search operation i noticed that my output of search query does not show the common fields like "host, source and source type" below each event , which are normally supposed to be extracted by default. My question is not about lab manual. Basically, i am curious as in What is making splunk to not show these 3 fields? I am using the exact query that is listed in the manual. Please refer to below screenshots.

My output ( which doesn't show those 3 fields)
alt text

Expected output as shown in the lab manual :

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-11-2018 09:18 AM

Hi @neerajshah81,

The default fields displayed with the event is decided by the user "Selected Fields" which is normally shown on the left panel under "Selected fields" and on basis of the user selection - expanding the event and select the fields manually(selecting checkbox). Configuration setting is stored in ui-prefs.conf of the user ie. splunk\etc\users\"user_name"\search\local\ui-prefs.conf

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-11-2018 09:18 AM

Hi @neerajshah81,

The default fields displayed with the event is decided by the user "Selected Fields" which is normally shown on the left panel under "Selected fields" and on basis of the user selection - expanding the event and select the fields manually(selecting checkbox). Configuration setting is stored in ui-prefs.conf of the user ie. splunk\etc\users\"user_name"\search\local\ui-prefs.conf

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-11-2018 09:01 AM

The in-line callout of fields and values happens for selected fields. To select a field, click on the All Fields link to get a field selector. Click on the checkbox to the left of whichever fields you would like Selected. Then click the Done button. You will see a new Selected Fields section above your existing Interesting Fields section and your in-line callouts should be there, too. These settings are somewhat sticky and I believe related to the neglected/no-longer-really-supported viewstates feature of Splunk.

Reply
Solved! Jump to solution

neerajshah81
Path Finder
‎07-11-2018 11:45 AM

Thank you woodcock & Renjith.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-11-2018 02:58 PM

Up-Votes appreciated.

0 Karma
Reply
Solved! Jump to solution

neerajshah81
Path Finder
‎07-11-2018 05:51 PM

Granted. Sorry getting used to splunk forums.

Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...