Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get logs to show fieldnames

NJ
Path Finder
‎03-22-2023 06:09 PM

Hi everyone!

I'm still fairly new to Splunk so sorry if it is a simple question.

I have some logs that does not show the field names when you have done a search.

NJ_0-1679533670406.png

But when I expand the event, I can see the names.

NJ_1-1679533720795.png

 

Is it not possible to have the field names shown in the first picture?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yeahnah
Motivator
‎03-22-2023 08:54 PM

Yes, you can do that using a search command, like this

... your base search ...
| fields *
| tojson

 

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2023 10:22 PM

Hi @NJ ,

are you using Verbose or Smart Mode in your search?

you have to use Verbose Mode to display all the extracted fields.

if you have in interesting fields less fields than all fields the reason is that probably you have less results than 20%, so they aren't visualized in interesting fields.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

NJ
Path Finder
‎03-22-2023 10:35 PM

Hi @gcusello 

I can see the field names on the left side but I was wondering if I would be able to see them in the event list like this:

Field name: Value

NJ_0-1679549675586.png

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2023 11:00 PM

Hi @NJ ,

you can visualize logs in raw text mode.

If you want to visualize them in json format, you have to manually open each of them, for my knowledge there isn't an option to open all the sub parts of the log.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

yeahnah
Motivator
‎03-22-2023 07:36 PM

Hi @NJ 

The List view will just show you what the event data looks like as it was ingested.  There obviously must be some automatic field extraction going on for the field values to be extracted.

If you want column headers (field names) to show with the values underneath, then you can pick the table view instead

yeahnah_0-1679538669808.png

Whatever you have as Selected Fields will show as a column with the value underneath. 

yeahnah_1-1679538705632.png

You can select or deselect fields by clicking into them.

yeahnah_2-1679538807545.png

 


Another method, though is to use the table command

...your search ...
| table *

You can specify the field names you want or just use the * wildcard for everything.

Hope this helps.  Please mark as solution provided if this answer your query.  

0 Karma
Reply
Solved! Jump to solution

NJ
Path Finder
‎03-22-2023 08:13 PM

Hi @yeahnah 

Thanks for your reply learned something new!

However, is there no way to get it like this JSON example:

NJ_0-1679541176917.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

yeahnah
Motivator
‎03-22-2023 08:54 PM

Yes, you can do that using a search command, like this

... your base search ...
| fields *
| tojson

 

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-22-2023 10:30 PM

Just be aware that you're not showing the original event anymore - just some rendered json structure.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...