iconify
Description
Causes Splunk Web to display an icon for each different value in the list of fields that you specify.
The iconify
command adds a field named _icon
to each event. This field is the hash value for the event. Within Splunk Web, a different icon for each unique value in the field is displayed in the events list. If multiple fields are listed, the UI displays a different icon for each unique combination of the field values.
Syntax
iconify <field-list>
Required arguments
- field-list
- Syntax: <field>...
- Description: Comma or space-delimited list of fields. You cannot specify a wildcard character in the field list.
Usage
The iconify
command is a distributable streaming command. See Command types.
Examples
1. Display a different icon for each eventtype
... | iconify eventtype
2. Display a different icon for unique pairs of field values
Display a different icon for unique pair of clientip
and method
values.
... | iconify clientip method
Here is how Splunk Web displays the results in your Events List:
See also
history | inputcsv |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!