Solved: Re: How to exclude certain fields from search resu...

Yaichael · ‎06-13-2016

I would like to exclude certain fields from search results and keep the rest of the information (not discarding the event), so Splunk can send it to an email later on.

For example. Let's say I have the following event:

devname = foo , devid = uuid , msg = info

Then, I discard devname = foo

devid = uuid , msg = info
Finally, send configured event to email.

Is there a way to do this?

richgalloway · ‎06-13-2016

Try ... | fields - devname | ...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

MuS · ‎06-13-2016

Hi Yaichael,

you can use either fields or table to specify the fields which should be used further in Splunk:

 Your base search here | fields devid msg | do more stuff here

or

Your base search here | table devid msg | do more stuff here

The difference between fields and table is that table only keeps those fields specified in a table format, where as fields also provides fields like _time and _raw as well in the event set.
Hope this helps ...

cheers, MuS

richgalloway · ‎06-13-2016

Try ... | fields - devname | ...

---
If this reply helps you, Karma would be appreciated.

How to exclude certain fields from search results?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...