Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

can i get the default _raw with out specificing it in the query ??

rakesh_498115
Motivator
‎10-24-2012 04:08 AM

Hi..

I have search query which gives me a ouput of certain fields say A,B,C and we know that splunk has two default fields _raw and _time .i haven't given these two fields in my search query but i have used them in my html display module has $resuls[0]._raw$ etc..but there are not getting displayed ??

I dnt want my raw data to be displayed in the query resutls , but want it to be displayed upon the user click in my html module..

my search is some thing like this..

(my search ) | table A,B,C

now when i use $results[0].A$ in html module its working fine...but i want the _raw field to be displayed in the HTML module , with out showing it in the search command above .ie with the table command above..how can i do it ? is there any trick to do it in splunk ?? please help..

Tags (3)
0 Karma
Reply

tskinnerivsec
Contributor
‎10-24-2012 10:21 AM

Have you tried creating a macro of the search that includes the _raw field, that way you can just specify the macro in the search bar instead of using a search with the _raw field in it?

0 Karma
Reply

rakesh_498115
Motivator
‎10-26-2012 08:21 AM

Thanks for your help 🙂

0 Karma
Reply

tskinnerivsec
Contributor
‎10-25-2012 01:16 PM

In your macros.conf file for your app you could have something defined as simple as:

[firewall_traffic]
args =
definition = tag=firewall tag=communicate

Then in a saved search use it like this:

search = firewall_traffic | top 10 classification

So, in the application that you are writing, include a macros.conf file that defines a macro for the search with the _raw in it. Then, you can call the macro by name in your searches without calling the _raw field by name. I would reference the macros.conf example file, which I need to spend a little more time with myself.

0 Karma
Reply

rakesh_498115
Motivator
‎10-25-2012 11:06 AM

can you pls give me a example for this ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...