Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I see what the source and sourcetype are for an Event

igotimac
Engager
‎04-26-2010 09:29 PM

In Previous versions of splunk on the search interface a "source" and "sourcetype" were reported underneath each in event.

In the latest version I see no way of determining what source log file a particular event came from. I can click on "show source" but this does not tell me the file name.

The dashboard still shows "source" and "sourcetype" and I can see that I can search based on these things, but if I search all sources I need a way to figure out which source a particular event came from.

Tags (1)
Reply

sideview
SplunkTrust
SplunkTrust
‎04-26-2010 09:55 PM

2 possibilities --

1) if you're talking about in the main search interface by default we have 'source', 'sourcetype' and 'host' selected in the field picker.

It's possible that maybe you or someone else using the same login, at some point opened the Field picker popup and unchecked source and sourcetype.

To fix, after running your search in the search UI, click the 'Pick fields' link over in the blue sidebar. If source and sourcetype are only on the left side, click them and they'll be added to the selected fields over on the right side.

2) In a dashboard.

If on the other hand you have no idea what Im talking about above, you're probably asking how to do this in a dashboard. It's easy to put events on a dashboard, but i think by default they appear there with no fields, and you have to edit the XML to get them to do so...

So, if that's the case, to fix it click 'edit dashboard', then the 'Edit name/XML' link in the lower left of that panel.
Then a form with some XML will pop up. You'll see a bit that looks like 

<event>
  <searchString>your search here.</searchString>
  <title>your panel name</title>
</event>

add a node to it like so: 

<event>
  <searchString>your search here.</searchString>
  <title>your panel name</title>
  <fields>host sourcetype source</fields>
</event>
Reply

Simeon
Splunk Employee
Splunk Employee
‎04-26-2010 09:35 PM

The source and sourcetype fields should be shown by default. You may need to select them from the field picker window pane on the left side of the search interface. If you wanted Splunk to return the values for those fields, you could use the fields command. Your search would look something like:

my search query | fields source sourcetype
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...