|
The data I'm sending to my Splunk Index is made of a number of KV records. A subset of a record data looks like: trace_event_record=v1 I would like the user to see only the content of the field trace_event_message, including the _raw output the 'Event List' Tab, but the same user should be be able to search all the other fields as well. For example an user search could contain only the string "myhost23", but the visible set of information returned will only contain here a very long and complex message associated to this event and off course all the other messages from myhost23 |
|
I think you could do what you are looking for by simply renaming your fields. Try sticking this on the end of your search: If that works how you want it to, and you don't want the user to add this every time, you could do a simple form search, or if you need some of the more advanced search features, you could build a custom search view (starting from the default |
|
or if you like to do more than just selecting one field, use eval: EDIT: I just realized that for this example eval is a bit overkill, and strcat probably yields faster performance: any of the two would give the same example result: |
