Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Select Fields at search time

thepocketwade
Path Finder
‎03-29-2010 04:43 PM

I've got a field extraction defined in my props.conf, but now I want to be able to select it in a search without using the "Field Picker." I've not found anything in the documentation yet that's been helpful. Is there a way to do this that I'm missing?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-30-2010 05:21 AM

By "select" do you just mean to use it in a search, or do you mean to have it display under the raw event in the Event Viewer GUI? If the former, you don't need to do anything, you can just use the field. If the latter, then no. Unfortunately the Event Viewer UI is not as tightly linked to the search query (and use of fields) as it could be.

View solution in original post

Reply
Solved! Jump to solution

Lowell
Super Champion
‎04-01-2010 03:08 PM

Have you tried using the charting view instead of the default flashtimeline search view?This might give you what you are looking for. I liked how you could temporarily change your shown fields using the fields command in Splunk 3.x, but it didn't seem possible in Splunk 4, at least until I discovered this trick...

You can get to the "Advanced Charting" view from the menu or tack by tacking "charting" to the URL path.

Once your in the Advanced Charting view, you can minimize the Chart and formatting areas, and to focus on the results area. Then you can tack on your fields command to your search (something like | fields + field1 field2 ...). And now you should only see your fields in the "Events Table" results. So you can see only the fields you want, and in the order that you defined. (Unfortunately, it doesn't work for the fields shown in the "Events List" results pane, which is a pain.)

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-30-2010 05:21 AM

By "select" do you just mean to use it in a search, or do you mean to have it display under the raw event in the Event Viewer GUI? If the former, you don't need to do anything, you can just use the field. If the latter, then no. Unfortunately the Event Viewer UI is not as tightly linked to the search query (and use of fields) as it could be.

Reply
Solved! Jump to solution

thepocketwade
Path Finder
‎03-30-2010 12:43 PM

I mean the latter, might the link be tightened in future versions of Splunk?

0 Karma
Reply
Solved! Jump to solution

dskillman
Splunk Employee
Splunk Employee
‎03-29-2010 09:42 PM

Do you know that it is being extracted correctly? Does the field/fields in your extraction return any results if you run:

field_in_question=*

If it does, you can add | fields list, your, fields, here to the end of a search. Once you add a field by clicking the Show In Results in the Field Picker you will not need to use it any more.

Reply
Solved! Jump to solution

thepocketwade
Path Finder
‎03-30-2010 12:42 PM

yeah, but piping to fields leaves me with just the fields passed to the fields command. I want to keep all the fields, but change what's "selected" and displayed below the log.

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top