Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

named field for indexed data

gekoner
Communicator
‎06-02-2011 02:20 PM

I am looking to setup a dashboard that displays data from various indexes. I was looking to just use a data table or event listing. Very Simple layout.
I have the data being returned in the search, but I can't get the contents of the data to display. I'm using "| table _time ..." to sort the data
I think this is because there is no field name for the data. I have tried using _raw but that doesn't work. I can get any of the named fields to display, but what is the correct way to get the data from the event to show the data as it is shown in the raw search. It is all on one line.

EXAMPLE of text returned in the search:
50102:{0x10C} [AUDIT] user.a@email.net - User activated on the server 1234
host=servername sourcetype=APP1 source=F:\Program Files (x86)\APP1\log0001.txt

I know this is simple, I just can't find the correct information on it.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mw
Splunk Employee
Splunk Employee
‎06-02-2011 03:04 PM

If you want to use an Event Listing to just list out the raw events, you shouldn't have the "| table" stuff. Just use the search that shows properly in the flashtimeline and set the element to Event Listing.

View solution in original post

Reply
Solved! Jump to solution
Solution

mw
Splunk Employee
Splunk Employee
‎06-02-2011 03:04 PM

If you want to use an Event Listing to just list out the raw events, you shouldn't have the "| table" stuff. Just use the search that shows properly in the flashtimeline and set the element to Event Listing.

Reply
Solved! Jump to solution

mw
Splunk Employee
Splunk Employee
‎06-06-2011 05:44 PM

Using table will put it in a table. If you just want the raw events, maybe trying using "... | rex mode=sed ..." to keep only what you want.

0 Karma
Reply
Solved! Jump to solution

gekoner
Communicator
‎06-03-2011 09:46 AM

mw, I should have been more specific. The reason I was using |table was I wanted to parse the output to only display some of the line. I think the best thing to do is use a regex value in the search parameter.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...