You could use the following Javascript code to hide the _raw field from all SimpleResultsTables in an app:
if(Splunk.Module.SimpleResultsTable) {
var orig = Splunk.Module.SimpleResultsTable.prototype.onResultsRendered;
Splunk.Module.SimpleResultsTable.prototype.onResultsRendered = function() {
orig.call(this);
$('th', this.container).each(function(i, el){
if(/^_raw\s*$/.test($(el).text())) $(el).hide();
});
$('td[field=_raw]', this.container).hide();
}
}
Simply place this code in $SPLUNK_HOME/etc/apps/search/appserver/static/application.js
(Or any other app, where you want to hide the _raw field).
You could use the following Javascript code to hide the _raw field from all SimpleResultsTables in an app:
if(Splunk.Module.SimpleResultsTable) {
var orig = Splunk.Module.SimpleResultsTable.prototype.onResultsRendered;
Splunk.Module.SimpleResultsTable.prototype.onResultsRendered = function() {
orig.call(this);
$('th', this.container).each(function(i, el){
if(/^_raw\s*$/.test($(el).text())) $(el).hide();
});
$('td[field=_raw]', this.container).hide();
}
}
Simply place this code in $SPLUNK_HOME/etc/apps/search/appserver/static/application.js
(Or any other app, where you want to hide the _raw field).
Works like a charm! Thank you for this piece of code!
And make sure you clear the browser cache.
You have to restart splunkweb. $ splunk restart splunkweb
Thank you for this code! Could you tell me how can i activate it in default installation? I've copied it as you wrote to $SPLUNK_HOME/etc/apps/search/appserver/static/application.js but this file is not included when the page loads...
Hah! Snap, I was just writing up the same (similar) piece of code
You could use the table
command. You will still be able to view the raw text in the eventsviewer and additionally have a (transformed) results table to look at fields of interest.
... | table host user some_other_field ...
im not using fields approach as my installation is used by other users and i want to keep it as simple and clean as possible for them. I've got a lot of extracted fields in each event and this _raw field makes the output ugly now:(
Aah, I see.. Didn't know that any default behaviour had changed. Perhaps there is some system-wide setting that can be configured to alter this.
In the mean time, why not use the fields
or table
approach to get the results you need/want.
/k
In the results window, you can switch between "events lists", "table" and "results chart" (three icons in the results window) - i'm refering to this "table" view... I don't want to modify each query for this, "... | fields - _raw" gives me desired output, but i want to have this behaviour by default... As it was in 4.2...
Sorry, but I still don't understand your problem.
As ziegfried says above, ... | table field1 field2
does not include _raw
in the table.
Perhaps we have a different understanding of what "table view" means?
/k
a) search query doesn't matter, _raw field always appears in "Table" view of main search output (with exception of ... | fields - _raw)
b) output - log entries split into fields but with undesired _raw field...
c) output without this _raw field....
This sounds weird. Perhaps we're misunderstanding what you're trying to do. Please post
a) your search
b) your output
c) your desired output
That way we'd be able to help you better
/k
Thank you for prompt response, but this is no option for me, as i want to remove this _raw fields from all the results from different indexes in this view, also i want to have it to be default for all the users. This _raw field breaks formatting and makes output ugly. This is really step backward from version 4.2 😞