Splunk Search

Is it possible to hide _raw from a search result?

Splunk Employee
Splunk Employee

The data I'm sending to my Splunk Index is made of a number of KV records. A subset of a record data looks like:

trace_event_record=v1
trace_event_valid=NO
trace_event_srv=myhost23.mydmn.net
trace_event_type=XKDopewrw$1
trace_event_location=/my/path/where/mylogs/are/javalog.log
trace_event_component_id=G08
trace_event_tags=TAG1
trace_event_timestamp=2010-07-08 06:58:00
trace_event_message= here a very long and complex message associated to this event

I would like the user to see only the content of the field trace_event_message, including the _raw output the 'Event List' Tab, but the same user should be be able to search all the other fields as well.

For example an user search could contain only the string "myhost23", but the visible set of information returned will only contain

here a very long and complex message associated to this event

and off course all the other messages from myhost23

1 Solution

Super Champion

I think you could do what you are looking for by simply renaming your fields. Try sticking this on the end of your search:

...| rename trace_event_message as _raw

If that works how you want it to, and you don't want the user to add this every time, you could do a simple form search, or if you need some of the more advanced search features, you could build a custom search view (starting from the default flashtimeline view) that would insert the rename command into the search; but that can get tricky.

View solution in original post

Engager

or if you like to do more than just selecting one field, use eval:

...| eval _raw = "[" . trace_event_valid . "] " . trace_event_message

EDIT: I just realized that for this example eval is a bit overkill, and strcat probably yields faster performance:

...| strcat "[" trace_event_valid "] " trace_event_message _raw

any of the two would give the same example result:

[NO] here a very long and complex message associated to this event

Super Champion

I think you could do what you are looking for by simply renaming your fields. Try sticking this on the end of your search:

...| rename trace_event_message as _raw

If that works how you want it to, and you don't want the user to add this every time, you could do a simple form search, or if you need some of the more advanced search features, you could build a custom search view (starting from the default flashtimeline view) that would insert the rename command into the search; but that can get tricky.

View solution in original post