Splunk Enterprise Security
Highlighted

Fieldsummary output : remove columns I dont need.

New Member

eventtype=osqueryosquery name="packincidentresponse*" earliest=-5m
| fieldsummary

output: A table contains multiple columns such as field, count, distinctcount, isexact, .......etc.

Required output: only one column.

Not working :
|table -count, -distinct_count,

0 Karma
Highlighted

Re: Fieldsummary output : remove columns I dont need.

Ultra Champion

use fields instead of table

View solution in original post

Highlighted

Re: Fieldsummary output : remove columns I dont need.

New Member

Thanks, that worked,

I have one more question if you can help.

Query:
eventtype=osqueryosquery earliest=-5m
| stats values(fieldsummary) by name
[ | fieldsummary

| fields - count, - distinct
count, - isexact, - max, - mean, - min, - numericcount, - stdev, - values]

Looking for the result as :
2 column: name and the field (one column from the fieldsummary search)

Can you help me to modify the query to get the correct answer?

Thanks

0 Karma
Highlighted

Re: Fieldsummary output : remove columns I dont need.

Motivator

Did you read my answer?

0 Karma
Highlighted

Re: Fieldsummary output : remove columns I dont need.

Ultra Champion

@john_shashank
please accept my answer.

Your query is not clear. What are you going to know by this query?

ask for another question and provide sample log at the point.

Anyone can't see name and why do you use fieldsummary at this place?
osquery's output has name , I know. but I can't understand what you want to do.

@codebuilder
remove columns I dont need
For this Q, fields is appropriate. so, I think table is good, too.

0 Karma
Highlighted

Re: Fieldsummary output : remove columns I dont need.

Motivator

@to4kawa I agree with you, both options work in this case (fields or table), and your suggestion was first, and correct.

0 Karma
Highlighted

Re: Fieldsummary output : remove columns I dont need.

New Member

I am trying to achieve something like in the picture below.
https://drive.google.com/open?id=1Atr-qDM68Dc_pLy7WsGFeiFbiEvvjha2

this is what I just created for an example. @to4kawa If there is any other way to extract field please feel free to share the syntax. thanks

0 Karma
Highlighted

Re: Fieldsummary output : remove columns I dont need.

Ultra Champion

Your query is not clear. What are you going to know by this query?
ask for another question and provide sample log at the point.

another way:

use map and search each name.

0 Karma
Highlighted

Re: Fieldsummary output : remove columns I dont need.

Motivator

In your example, table will work but your syntax is not correct. Use table to include the values you want.

e.g.

eventtype=osquery_osquery name="pack_incident_response_*" earliest=-5m| fieldsummary | table field, count, max
Highlighted

Re: Fieldsummary output : remove columns I dont need.

New Member

Your command worked completed fine. but as there are multiple packs under the field called "name". I modified the query to the following which did not work for me can you help me with that?

eventtype=osqueryosquery name="packincidentresponse*" earliest=-5m| fieldsummary | stats value(field), name

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.