Re: How to stop index extraction fields displaying...

BuzzLights10 · ‎06-01-2021

Hello Community,

I want to remove a select few fields which are extracted by default like punct, splunkserver, etc.

By remove, I mean I do not want these fields to be displayed when I search for data in these indexes on the Search head.
I went through many posts but could not find anything appropriate as to how this can be achieved in the back end. Maybe I am missing something on the props or fields.conf files??

Any help is appreciated!

richgalloway · ‎06-04-2021

I'm not aware of any way to control what is displayed in the "Interesting fields" area. We can use the fields command to control what is displayed in search results, of course.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎06-01-2021

If you run your searches in Fast Mode then Splunk will not perform search-time extractions.

For index-time extractions, the only one you can disable (AFAIK) is punct. Use the ANNOTATE_PUNCT=false setting in props.conf to do that.

---
If this reply helps you, Karma would be appreciated.

BuzzLights10 · ‎06-04-2021

Hi @richgalloway

Thank you for the reply . On some data sets when I need to see the detailed list of fields or to only see the fields i've manually extracted(basically running in smart or verbose)...is there any way to not display these default fields then??

Thanks again!

How to stop index extraction fields displaying on the search head??

heavy forwarder

indexer

props.conf

transforms.conf

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!