Splunk Search

Can I display metadata in EventsViewer module?

Mick
Splunk Employee
Splunk Employee

I'd like the events displayed to have this data at the bottom as they do by default in the search app, but I can't find anything in the documentation about building it into a view.

Tags (3)

klee310
Communicator

someone please help, i'm using version 4.2 and the fields param doesn't seem to have any effect. In fact, it is instead displaying all fields. Is there some setting I am missing, or somewhere in a ViewStates config file which is overriding my defaults?

0 Karma

mzorzi
Splunk Employee
Splunk Employee

Hi Ciaran,

to view the medata fields with the EventViewer use the "fields" parameter. For instance:

<module name="EventsViewer">
     <param name="fields">host source</param>
    </module>

Document Reference

http://www.splunk.com/base/Documentation/4.1/Developer/ModuleReference#EventsViewer

sideview
SplunkTrust
SplunkTrust

NOTE: this answer is correct but is referring to how to do it when you are using the advanced XML. To do the same thing in the simplified XML you use host source url status bytes
in the node.

0 Karma

parallaxed
Path Finder

Mick posted this here on our behalf.

What's the different answer? In this case we are using the Raw XML.

To restate the question (hopefully with more clarity) we're after a way to display the metadata for each event (i.e. host, source, sourcetype etc), just as it is displayed when you do a vanilla search. When using EventsViewer this isn't included by default. How do we get it there?

0 Karma

sideview
SplunkTrust
SplunkTrust

As posted by mzorzi, in the advanced XML you put
host source
into the EventsViewer.
See the autogenerated module docs (/modules on your build) or the module reference on splunk.com for discussion of params.

Worth noting is that there are in general two ways of setting fields for several modules.
1) setting a fields parameter in the module itself
2) Having an upstream FieldPicker or HiddenFieldPicker.

In cases where both conditions are present, the upstream setting always overrides the downstream setting.

sideview
SplunkTrust
SplunkTrust

This can be done if you edit the XML itself. Click Actions > Edit Dashboard this will open the dashboard editing popup. You'll see a link at the bottom left of the layer that says 'Edit name/XML'. Click that. You'll be taken to a page with a big textarea containing some XML. Find the element, which will look something like this:

<event>
  <searchString>sourcetype=access_combined status=500</searchString>
  <title>my dashboard test</title>
  <earliestTime>-1h</earliestTime>
  <latestTime></latestTime>
</event>

add a fifth node inside your element, making for a total of:

<event>
  <searchString>sourcetype=access_combined status=500</searchString>
  <title>my dashboard test</title>
  <earliestTime>-1h</earliestTime>
  <latestTime></latestTime>
  <fields>host source url status bytes</fields>
</event>

NOTE: im making an assumption that you're talking about the dashboard UI builder, and the simplified XML. If you're using the advanced XML then you just find the EventsViewer module in your view and you add an extra param right inside, like:

<param name="fields">host sourcetype clientip</param>
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...