topic Re: REMOVE AN EXTRA FIELD in Splunk Search

REMOVE AN EXTRA FIELD

sphiwee — Mon, 19 Oct 2020 12:58:11 GMT

i have regular expression that i use to extract the below words, but i dont want to show the Results fiels or column, how do i exclude it?

Ive tried | fields -Results & it didnt work

Re: REMOVE AN EXTRA FIELD

gcusello — Mon, 19 Oct 2020 13:04:32 GMT

Hi @sphiwee,

put a space between - and the field name

| fields - Results

Ciao.

Giuseppe

Re: REMOVE AN EXTRA FIELD

thambisetty — Mon, 19 Oct 2020 13:12:10 GMT

share your query to understand if Results appeared in chart has derived from another field.

Re: REMOVE AN EXTRA FIELD

sphiwee — Mon, 19 Oct 2020 13:15:34 GMT

Still not working

Re: REMOVE AN EXTRA FIELD

sphiwee — Mon, 19 Oct 2020 13:20:59 GMT

Heres the query, i want to remove the far right field "Results"

Re: REMOVE AN EXTRA FIELD

gcusello — Mon, 19 Oct 2020 13:31:17 GMT

Hi @sphiwee,

sorry, I misunderstood!

Try adding to the last "search command" also

NOT business_field="Results"

P.S.: you don't need "AND" operator in search.

Ciao.

Giuseppe

Re: REMOVE AN EXTRA FIELD

sphiwee — Mon, 19 Oct 2020 13:38:16 GMT

Still not working, now receiving an error

Re: REMOVE AN EXTRA FIELD

thambisetty — Mon, 19 Oct 2020 14:00:18 GMT

replace your search command just before timechart with below

| search business_field=* NOT business_field=Results

if you think you have got 100% matches for field business_field extracted using rex command the below search would be enough. no need to say business_field=* ( this is useful to ignore null values in events if there are any events they are not matched for regex and returned null values)

| search NOT business_field=Results

Re: REMOVE AN EXTRA FIELD

gcusello — Mon, 19 Oct 2020 13:59:42 GMT

Hi @sphiwee,

sorry I wasn't clear, in your search replace

| search business_field=* AND "status:COMPLETED"

with

| search business_field=* "status:COMPLETED" NOT business_field="Results"

and do not use more the field command.

Ciao.

Giuseppe

Re: REMOVE AN EXTRA FIELD

sphiwee — Mon, 19 Oct 2020 14:04:52 GMT

still not working

Re: REMOVE AN EXTRA FIELD

inventsekar — Mon, 19 Oct 2020 14:09:05 GMT

Hi @sphiwee whats your current search query? you can not use "business_field=Results" inside the fields command.

Re: REMOVE AN EXTRA FIELD

thambisetty — Mon, 19 Oct 2020 14:11:19 GMT

can you try below command after rex command and check if you see field business_field and value Results. if you don't see that means there could be white space added at starting or ending of Results value.

| search business_field=* NOT business_field=Results | stats count by business_field | search business_field=*Results*

you can try below to make sure there is white space.

| search business_field=* NOT business_field=Results | stats count by business_field | search business_field=*Results*

if above search works then you can try below in your actual search

| search business_field=* NOT business_field=*Results*

Re: REMOVE AN EXTRA FIELD

sphiwee — Mon, 19 Oct 2020 14:12:45 GMT

here is my query @inventsekar

Re: REMOVE AN EXTRA FIELD

gcusello — Mon, 19 Oct 2020 14:15:15 GMT

Hi @sphiwee,

could you try to execute the last search in verbose mode?

Ciao.

Giuseppe