Splunk Search

How do I show/hide the fields that are shown at the bottom of each set of results of a transaction search in Events view?

daishih
Path Finder

When I run the following transaction search from the dashboard I created it only displays "host=.... source=.... sourcetype=...." at the bottom of each set of results from the transaction search in Events view.

* [search sourcetype=pan:traffic  
| where user="mydomain\\$userName$" 
| rename src_ip AS src | fields src] 
| rename reason AS connection_state 
| rename log_subtype AS connection_state 
| rename dst AS destination 
| rename dst_port AS destination_port 
| rename dest_ip AS destination 
| rename dest_port AS destination_port 
| transaction sourcetype session_id action src src_port src_zone destination destination_port dest_zone connection_state 
| where duration>0

Is there a way to show/hide the fields such as source and destination? Can these be reordered?

Tags (2)
0 Karma
1 Solution

daishih
Path Finder

It turns out the only way I was able to accomplish what I wanted was to run a search using:

  • [search sourcetype=pan:traffic | where user="mydomain\JohnDoe" | rename src_ip AS src | fields src] | rename reason AS connection_state | rename log_subtype AS connection_state | rename dst AS destination | rename dst_port AS destination_port | rename dest_ip AS destination | rename dest_port AS destination_port | transaction sourcetype session_id action src src_port src_zone destination destination_port dest_zone connection_state | where duration>0

Then I selected the fields I wanted via the left "interesting fields" panel and saved the search as a dashboard panel. Then I went back to the dashboard panel and edited where user="mydomain\\JohnDoe" with my token where user="mydomain\\$userName$" and it works. I am still unable to change the order in which the fields appear but I guess that is not an option. This is a silly way of doing things and I wish Splunk would make the dashboard searches work identically to the regular main search in the program. This isn't the first time something has worked for me in the main search but not in the dashboard...

View solution in original post

daishih
Path Finder

It turns out the only way I was able to accomplish what I wanted was to run a search using:

  • [search sourcetype=pan:traffic | where user="mydomain\JohnDoe" | rename src_ip AS src | fields src] | rename reason AS connection_state | rename log_subtype AS connection_state | rename dst AS destination | rename dst_port AS destination_port | rename dest_ip AS destination | rename dest_port AS destination_port | transaction sourcetype session_id action src src_port src_zone destination destination_port dest_zone connection_state | where duration>0

Then I selected the fields I wanted via the left "interesting fields" panel and saved the search as a dashboard panel. Then I went back to the dashboard panel and edited where user="mydomain\\JohnDoe" with my token where user="mydomain\\$userName$" and it works. I am still unable to change the order in which the fields appear but I guess that is not an option. This is a silly way of doing things and I wish Splunk would make the dashboard searches work identically to the regular main search in the program. This isn't the first time something has worked for me in the main search but not in the dashboard...

sundareshr
Legend

In the left panel, where you see interested fields, click on the field you are interested in showing below the event. On the top right corner of the flyout window, click on "yes" next to "Selected". This will add the field under "Selected Fields" and also show it below the event.

0 Karma

daishih
Path Finder

The left panel "interested fields" does not appear in the dashboard search results thought so how can I get that to come up? It shows up only when doing a regular search.

0 Karma

daishih
Path Finder

I thought that would work but I already tried | fields ... and when I do that in the dashboard search none of the fields show up on the bottom.

0 Karma

sundareshr
Legend

Then, I believe your only option would be to add ... | fields <<list of fields here>>> to your search, and in the events panel in the dashboard, click on the arrow (left most column of the panel, there's one for each event) to see the fields

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...