Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

can i get the default _raw with out specificing it in the query ??

rakesh_498115
Motivator
‎10-24-2012 04:08 AM

Hi..

I have search query which gives me a ouput of certain fields say A,B,C and we know that splunk has two default fields _raw and _time .i haven't given these two fields in my search query but i have used them in my html display module has $resuls[0]._raw$ etc..but there are not getting displayed ??

I dnt want my raw data to be displayed in the query resutls , but want it to be displayed upon the user click in my html module..

my search is some thing like this..

(my search ) | table A,B,C

now when i use $results[0].A$ in html module its working fine...but i want the _raw field to be displayed in the HTML module , with out showing it in the search command above .ie with the table command above..how can i do it ? is there any trick to do it in splunk ?? please help..

Tags (3)
0 Karma
Reply

tskinnerivsec
Contributor
‎10-24-2012 10:21 AM

Have you tried creating a macro of the search that includes the _raw field, that way you can just specify the macro in the search bar instead of using a search with the _raw field in it?

0 Karma
Reply

rakesh_498115
Motivator
‎10-26-2012 08:21 AM

Thanks for your help 🙂

0 Karma
Reply

tskinnerivsec
Contributor
‎10-25-2012 01:16 PM

In your macros.conf file for your app you could have something defined as simple as:

[firewall_traffic]
args =
definition = tag=firewall tag=communicate

Then in a saved search use it like this:

search = firewall_traffic | top 10 classification

So, in the application that you are writing, include a macros.conf file that defines a macro for the search with the _raw in it. Then, you can call the macro by name in your searches without calling the _raw field by name. I would reference the macros.conf example file, which I need to spend a little more time with myself.

0 Karma
Reply

rakesh_498115
Motivator
‎10-25-2012 11:06 AM

can you pls give me a example for this ?

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...