Remove fields from a query

kahless1985 · ‎03-03-2019

The title says it all. I'm looking for a way to remove fields from searches and subsearches. I know I can hide fields from results with

| fields - "fieldName"

But I'm looking for a way to get "set diff" to operate on a singe filed. If I was using "diff" without "set" the the attribute parameter could be utilized but unfortunately this option seems to be disabled when the two are used in conjunction.

mydog8it · ‎03-05-2019

Search in a stats count by type search and then only redirect the interesting fields to a table, the results will only be the fields you send to the table.
Does that help?

somesoni2 · ‎03-05-2019

What's your current search(es)?

msivill_splunk · ‎03-05-2019

Could you create an expanded example of the SPL perhaps using | makeresults to generate the data for a standalone example?

Remove fields from a query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Remove fields from a query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future