Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get logs to show fieldnames

NJ
Path Finder
‎03-22-2023 06:09 PM

Hi everyone!

I'm still fairly new to Splunk so sorry if it is a simple question.

I have some logs that does not show the field names when you have done a search.

NJ_0-1679533670406.png

But when I expand the event, I can see the names.

NJ_1-1679533720795.png

 

Is it not possible to have the field names shown in the first picture?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yeahnah
Motivator
‎03-22-2023 08:54 PM

Yes, you can do that using a search command, like this

... your base search ...
| fields *
| tojson

 

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2023 10:22 PM

Hi @NJ ,

are you using Verbose or Smart Mode in your search?

you have to use Verbose Mode to display all the extracted fields.

if you have in interesting fields less fields than all fields the reason is that probably you have less results than 20%, so they aren't visualized in interesting fields.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

NJ
Path Finder
‎03-22-2023 10:35 PM

Hi @gcusello 

I can see the field names on the left side but I was wondering if I would be able to see them in the event list like this:

Field name: Value

NJ_0-1679549675586.png

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2023 11:00 PM

Hi @NJ ,

you can visualize logs in raw text mode.

If you want to visualize them in json format, you have to manually open each of them, for my knowledge there isn't an option to open all the sub parts of the log.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

yeahnah
Motivator
‎03-22-2023 07:36 PM

Hi @NJ 

The List view will just show you what the event data looks like as it was ingested.  There obviously must be some automatic field extraction going on for the field values to be extracted.

If you want column headers (field names) to show with the values underneath, then you can pick the table view instead

yeahnah_0-1679538669808.png

Whatever you have as Selected Fields will show as a column with the value underneath. 

yeahnah_1-1679538705632.png

You can select or deselect fields by clicking into them.

yeahnah_2-1679538807545.png

 


Another method, though is to use the table command

...your search ...
| table *

You can specify the field names you want or just use the * wildcard for everything.

Hope this helps.  Please mark as solution provided if this answer your query.  

0 Karma
Reply
Solved! Jump to solution

NJ
Path Finder
‎03-22-2023 08:13 PM

Hi @yeahnah 

Thanks for your reply learned something new!

However, is there no way to get it like this JSON example:

NJ_0-1679541176917.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

yeahnah
Motivator
‎03-22-2023 08:54 PM

Yes, you can do that using a search command, like this

... your base search ...
| fields *
| tojson

 

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-22-2023 10:30 PM

Just be aware that you're not showing the original event anymore - just some rendered json structure.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...