Splunk Search

Exclude 'default'/'system' fields in `table *`

henricook
New Member

I've got a JSON event that I like to tabulate by using `index=myindex | table *`

When I do this though it includes some system fields, such as `host`, `index`, `linecount`, `punct`, `source`, `sourcetype`

Does anyone know if there's a way to exclude them without naming them all individually via a built in method/variable?

e.g. `index=myindex | fields - $SYSTEM_FIELDS$ | table *`

Thanks,

Henri

Labels (3)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@henricook 

Not sure there is Splunk Variable available globally for that. But you can go with your approach by removing all default fields.

like,

| fields - _indextime, _cd, _bkt, host, index, linecount, punct, source, sourcetype, splunk_server, timestamp,date_*

_raw and _time also default field we should keep it.  🙂 

Check below link for more details about Default Fields

https://docs.splunk.com/Documentation/Splunk/8.2.1/Knowledge/Usedefaultfields#Use_default_fields

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Get Updates on the Splunk Community!

Let’s Talk Terraform

If you’re beyond the first-weeks-of-a-startup stage, chances are your application’s architecture is pretty ...

Cloud Platform | Customer Change Announcement: Email Notification is Available For ...

The Notification Team is migrating our email service provider. As the rollout progresses, Splunk has enabled ...

Save the Date: GovSummit Returns Wednesday, December 11th!

Hey there, Splunk Community! Exciting news: Splunk’s GovSummit 2024 is returning to Washington, D.C. on ...