Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why does highlight not highlight? What am I doing wrong?

neiljpeterson
Communicator
‎07-01-2014 10:00 AM

This should be dead simple. Obviosuly I am missing something.

host=tcserver1 | highlight ERROR

I just want a pretty color for anywhere the string "error" shows up in the logs as I watch them scroll by. I don't only want to see the events with "error", I need to see all of them, but need to be able to visually pick out the ones WITH error when they happen.

The highlight search command seems really straight forward, I can't imagine what I am missing here... I can use CTRL+F to see that there are plenty of instances of this string, but I get no highlighting using the search command. 😞

Tags (2)
0 Karma
Reply

bareisd
Explorer
‎12-07-2016 12:20 PM

It would be nice to be able to specify a colour but I'd be happy if anything worked.

I am in "raw" mode.

I have discovered that I can highlight text (as OP wanted) but not fields, for example to "fix" the original example, this would work:

host=tcserver1 | highlight "ERROR"

As it would highlight the text "ERROR" wherever it was found.

Reply

kenkenou
Explorer
‎12-06-2016 06:09 PM

Maybe you could change the view to "Raw" or "List", the string you highlight will be in yellow.

0 Karma
Reply

bareisd
Explorer
‎12-06-2016 05:46 PM

I can not get "highlight" or "iconify" to do anything in Splunk 6.3

An example:

index=*someapp* sourcetype=*iis* | highlight c_ip
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-01-2014 11:06 AM

In my case, a bit of testing shows that the highlight only works on the Events page on the raw data, not on the Statistics page. So, if you are doing any statistics or creating a table the highlighting doesn't seem to apply.

Reply

Richfez
SplunkTrust
SplunkTrust
‎07-02-2014 11:58 AM

Yes, the word user shows up in yellow highlighting when part of "user=admin". Likewise:

index=_audit action=search | highlight user info fields

Highlights each instance of "user" "info" and "fields".

Sounds like you may have a bug? What exact version of Splunk are you using?

0 Karma
Reply

neiljpeterson
Communicator
‎07-02-2014 11:01 AM

I am on the events page, looking at the _raw. Nothing fancy.

Try this search:

index=_audit action=search | highlight user

Does that change how "user" or the user field looks in the results? Cause it does nothing for me.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...