Splunk Cloud Platform

Search Reference

iconify

Description

Causes Splunk Web to display an icon for each different value in the list of fields that you specify.

The iconify command adds a field named _icon to each event. This field is the hash value for the event. Within Splunk Web, a different icon for each unique value in the field is displayed in the events list. If multiple fields are listed, the UI displays a different icon for each unique combination of the field values.

Syntax

iconify <field-list>

Required arguments

field-list
Syntax: <field>...
Description: Comma or space-delimited list of fields. You cannot specify a wildcard character in the field list.

Usage

The iconify command is a distributable streaming command. See Command types.

Examples

1. Display a different icon for each eventtype

... | iconify eventtype

2. Display a different icon for unique pairs of field values

Display a different icon for unique pair of clientip and method values.

... | iconify clientip method

Here is how Splunk Web displays the results in your Events List:

Iconify example.png

See also

highlight

Last modified on 13 November, 2021
history   inputcsv

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters