Splunk Search

remove _raw field from table view

lutel
Explorer

Is it possible to remove _raw field from search results in table view? I guess this change came with Splunk 4.3. ... | fields - _raw is not an option, as i'd like to get to default behaviour from Splunk 4.2 which was not cluttering search results in table view...

Tags (2)
0 Karma
1 Solution

ziegfried
Influencer

You could use the following Javascript code to hide the _raw field from all SimpleResultsTables in an app:

if(Splunk.Module.SimpleResultsTable) {
    var orig = Splunk.Module.SimpleResultsTable.prototype.onResultsRendered;
    Splunk.Module.SimpleResultsTable.prototype.onResultsRendered = function() {
        orig.call(this);
        $('th', this.container).each(function(i, el){
            if(/^_raw\s*$/.test($(el).text())) $(el).hide();
        });
        $('td[field=_raw]', this.container).hide();
    }
}

Simply place this code in $SPLUNK_HOME/etc/apps/search/appserver/static/application.js (Or any other app, where you want to hide the _raw field).

View solution in original post

ziegfried
Influencer

You could use the following Javascript code to hide the _raw field from all SimpleResultsTables in an app:

if(Splunk.Module.SimpleResultsTable) {
    var orig = Splunk.Module.SimpleResultsTable.prototype.onResultsRendered;
    Splunk.Module.SimpleResultsTable.prototype.onResultsRendered = function() {
        orig.call(this);
        $('th', this.container).each(function(i, el){
            if(/^_raw\s*$/.test($(el).text())) $(el).hide();
        });
        $('td[field=_raw]', this.container).hide();
    }
}

Simply place this code in $SPLUNK_HOME/etc/apps/search/appserver/static/application.js (Or any other app, where you want to hide the _raw field).

lutel
Explorer

Works like a charm! Thank you for this piece of code!

0 Karma

ziegfried
Influencer

And make sure you clear the browser cache.

0 Karma

ziegfried
Influencer

You have to restart splunkweb. $ splunk restart splunkweb

0 Karma

lutel
Explorer

Thank you for this code! Could you tell me how can i activate it in default installation? I've copied it as you wrote to $SPLUNK_HOME/etc/apps/search/appserver/static/application.js but this file is not included when the page loads...

0 Karma

Drainy
Champion

Hah! Snap, I was just writing up the same (similar) piece of code

ziegfried
Influencer

You could use the table command. You will still be able to view the raw text in the eventsviewer and additionally have a (transformed) results table to look at fields of interest.

... | table host user some_other_field ...

lutel
Explorer

im not using fields approach as my installation is used by other users and i want to keep it as simple and clean as possible for them. I've got a lot of extracted fields in each event and this _raw field makes the output ugly now:(

0 Karma

kristian_kolb
Ultra Champion

Aah, I see.. Didn't know that any default behaviour had changed. Perhaps there is some system-wide setting that can be configured to alter this.

In the mean time, why not use the fields or table approach to get the results you need/want.

/k

0 Karma

lutel
Explorer

In the results window, you can switch between "events lists", "table" and "results chart" (three icons in the results window) - i'm refering to this "table" view... I don't want to modify each query for this, "... | fields - _raw" gives me desired output, but i want to have this behaviour by default... As it was in 4.2...

0 Karma

kristian_kolb
Ultra Champion

Sorry, but I still don't understand your problem.

As ziegfried says above, ... | table field1 field2 does not include _raw in the table.

Perhaps we have a different understanding of what "table view" means?
/k

0 Karma

lutel
Explorer

a) search query doesn't matter, _raw field always appears in "Table" view of main search output (with exception of ... | fields - _raw)
b) output - log entries split into fields but with undesired _raw field...
c) output without this _raw field....

0 Karma

kristian_kolb
Ultra Champion

This sounds weird. Perhaps we're misunderstanding what you're trying to do. Please post

a) your search
b) your output
c) your desired output

That way we'd be able to help you better

/k

0 Karma

lutel
Explorer

Thank you for prompt response, but this is no option for me, as i want to remove this _raw fields from all the results from different indexes in this view, also i want to have it to be default for all the users. This _raw field breaks formatting and makes output ugly. This is really step backward from version 4.2 😞

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...