Solved: Re: Fieldsummary output : remove columns I dont ne...

john_shashank · ‎04-30-2020

eventtype=osquery_osquery name="pack_incident_response_*" earliest=-5m
| fieldsummary

output: A table contains multiple columns such as field, count, distinct_count, is_exact, .......etc.

Required output: only one column.

Not working :
|table -count, -distinct_count,

to4kawa · ‎05-01-2020

use fields instead of table

View solution in original post

codebuilder · ‎05-01-2020

In your example, table will work but your syntax is not correct. Use table to include the values you want.

e.g.

eventtype=osquery_osquery name="pack_incident_response_*" earliest=-5m| fieldsummary | table field, count, max

----
An upvote would be appreciated and Accept Solution if it helps!

john_shashank · ‎05-01-2020

Your command worked completed fine. but as there are multiple packs under the field called "name". I modified the query to the following which did not work for me can you help me with that?

eventtype=osquery_osquery name="pack_incident_response_*" earliest=-5m| fieldsummary | stats value(field), name

codebuilder · ‎05-04-2020

Yes. Take out the "name=", and instead use wildcards around the values.
e.g.
pack_incident_response_

Do the same for any others you want to include.

----
An upvote would be appreciated and Accept Solution if it helps!

codebuilder · ‎05-05-2020

To clarify my previous post, try this method:

eventtype=osquery_osquery name="pack_incident_response_*" earliest=-5m| fieldsummary *pack_incident_response_* | table field, count, max

----
An upvote would be appreciated and Accept Solution if it helps!

to4kawa · ‎05-01-2020

use fields instead of table

john_shashank · ‎05-01-2020

Thanks, that worked,

I have one more question if you can help.

Query:
eventtype=osquery_osquery earliest=-5m
| stats values(fieldsummary) by name
[ | fieldsummary

| fields - count, - distinct_count, - is_exact, - max, - mean, - min, - numeric_count, - stdev, - values]

Looking for the result as :
2 column: name and the field (one column from the fieldsummary search)

Can you help me to modify the query to get the correct answer?

Thanks

to4kawa · ‎05-01-2020

@john_shashank
please accept my answer.

Your query is not clear. What are you going to know by this query?

ask for another question and provide sample log at the point.

Anyone can't see name and why do you use fieldsummary at this place?
osquery's output has name , I know. but I can't understand what you want to do.

@codebuilder
remove columns I dont need
For this Q, fields is appropriate. so, I think table is good, too.

john_shashank · ‎05-01-2020

I am trying to achieve something like in the picture below.
https://drive.google.com/open?id=1Atr-qDM68Dc_pLy7WsGFeiFbiEvvjha2

this is what I just created for an example. @to4kawa If there is any other way to extract field please feel free to share the syntax. thanks

to4kawa · ‎05-02-2020

Your query is not clear. What are you going to know by this query? ask for another question and provide sample log at the point.

another way:

use map and search each name.

codebuilder · ‎05-01-2020

@to4kawa I agree with you, both options work in this case (fields or table), and your suggestion was first, and correct.

----
An upvote would be appreciated and Accept Solution if it helps!

codebuilder · ‎05-01-2020

Did you read my answer?

----
An upvote would be appreciated and Accept Solution if it helps!

Fieldsummary output : remove columns I dont need.

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability