Databases Reference
In-Depth Information
We see the following output, based on the default fields specified in the template:
Notice that we still see the event number, the workflow actions menu, local time
as rendered by Splunk, and the selected fields underneath our template output.
We have really only overridden the rendering of
_raw
.
If we specify the fields we want in our table in the field
tabular
, the template
will honor what we specify in our table:
index="implsplunk" sourcetype="template_example"
| eval tabular="level,logger,message,foo,network"
| eval eventtype="tabular"
This gives us the output shown in the following screenshot:
Any field that does not have a value is rendered as
-
, as per the following
template code:
str(event.fields.get(f, '-'))
Search WWH ::
Custom Search