Splunk Search

How do I turn off highlighting?

ericrobinson
Path Finder

I have a search that pipes to another search, and this search is highlighting the results. I do not want the highlights.

I am showing the events in a dashboard.

Tags (1)

Lowell
Super Champion

While we are on the topic, I just want to point out another use case where it would be nice to disable highlighting.

I don't want to hijack the main question, so I can post this separately if there is a different answer to my scenario. But for the moment, it seems to fit.


It would also be nice to disable highlighting when interacting with splunk via REST API. The XML results include highlighting which can add unwanted complexity to an otherwise simple search process.

For example, take the following search:

sourcetype=cisco_switch SYS-5-CONFIG_I notice

Example event:

2010-08-31 20:49:24.179 -04:00 172.16.1.1 [72053] notice: SYS-5-CONFIG_I: Configured from console by vty2 (172.16.1.2)

Example of the "_raw" field returned via the XML-output of a search:

<field k='_raw'>
   <v xml:space='preserve' trunc='0'>2010-08-31 20:49:24.179 -04:00 172.16.1.1 [72053] <sg h='1'>notice</sg>: <sg h='1'>SYS-5-CONFIG_I</sg>: Configured from console by vty2 (172.16.1.2)</v>
</field>

My search client basically just converts the XML results into a very simple list of key/value pairs. The XML utility really only understands xml structure and not xml markup tags like this. So my resulting _raw field ends up looking like this:

2010-08-31 20:49:24.179 -04:00 172.16.1.1 [72053] : : Configured from console by vty2 (172.16.1.2)

Notice that I'm missing some text I would really like to be able to read. Sure, I could use a better XML tool, but the point it is that would really be nice if we could just prevent splunk from adding unwanted markup tags in the first place. Right now the only workaround is to rename or copy the _raw field.

southeringtonp
Motivator

I would argue that any additional tags should be excluded from _raw by default, as it's not exactly raw anymore. Maybe return a new field _cooked, or _formatted, or some such.

0 Karma

southeringtonp
Motivator

The really ugly approach would be to do it via CSS.

Technically, that that wouldn't remove the highlighting, but would let you set the highlight color to be the same as the background, effectively making it invisible. If you're only concerned with removing the highlights within your single dashboard view, this might not be so bad, since you can set the stylesheet just for the dashboard (see here).

If you need it to stay invisible through drilldown into another view, then you might have to do it at the app level, which starts to impact other searches.

Maybe someone else has a better idea - there really should be a cleaner way.

Lowell
Super Champion

Yeah, there's a "highlight" command to highlight new terms, but there doesn't seem to be a way to reverse it. Good question +1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...