Solved: Re: REMOVE AN EXTRA FIELD

sphiwee · ‎10-19-2020

i have regular expression that i use to extract the below words, but i dont want to show the Results fiels or column, how do i exclude it?

Ive tried | fields -Results & it didnt work

I

thambisetty · ‎10-19-2020

can you try below command after rex command and check if you see field business_field and value Results. if you don't see that means there could be white space added at starting or ending of Results value.

| search business_field=* NOT business_field=Results
| stats count by business_field
| search business_field=*Results*

you can try below to make sure there is white space.

| search business_field=* NOT business_field=Results
| stats count by business_field
| search business_field=*Results*

if above search works then you can try below in your actual search

| search business_field=* NOT business_field=*Results*

————————————
If this helps, give a like below.

View solution in original post

thambisetty · ‎10-19-2020

can you try below command after rex command and check if you see field business_field and value Results. if you don't see that means there could be white space added at starting or ending of Results value.

| search business_field=* NOT business_field=Results
| stats count by business_field
| search business_field=*Results*

you can try below to make sure there is white space.

| search business_field=* NOT business_field=Results
| stats count by business_field
| search business_field=*Results*

if above search works then you can try below in your actual search

| search business_field=* NOT business_field=*Results*

————————————
If this helps, give a like below.

thambisetty · ‎10-19-2020

replace your search command just before timechart with below

| search business_field=* NOT business_field=Results

if you think you have got 100% matches for field business_field extracted using rex command the below search would be enough. no need to say business_field=* ( this is useful to ignore null values in events if there are any events they are not matched for regex and returned null values)

| search NOT business_field=Results

————————————
If this helps, give a like below.

sphiwee · ‎10-19-2020

still not working

gcusello · ‎10-19-2020

Hi @sphiwee,

could you try to execute the last search in verbose mode?

Ciao.

Giuseppe

thambisetty · ‎10-19-2020

share your query to understand if Results appeared in chart has derived from another field.

————————————
If this helps, give a like below.

sphiwee · ‎10-19-2020

Heres the query, i want to remove the far right field "Results"

sphiwee · ‎10-19-2020

here is my query @inventsekar

gcusello · ‎10-19-2020

Hi @sphiwee,

put a space between - and the field name

| fields - Results

Ciao.

Giuseppe

sphiwee · ‎10-19-2020

Still not working

gcusello · ‎10-19-2020

Hi @sphiwee,

sorry, I misunderstood!

Try adding to the last "search command" also

NOT business_field="Results"

P.S.: you don't need "AND" operator in search.

Ciao.

Giuseppe

sphiwee · ‎10-19-2020

Still not working, now receiving an error

inventsekar · ‎10-19-2020

Hi @sphiwee whats your current search query? you can not use "business_field=Results" inside the fields command.

gcusello · ‎10-19-2020

Hi @sphiwee,

sorry I wasn't clear, in your search replace

| search business_field=* AND "status:COMPLETED"

with

| search business_field=* "status:COMPLETED" NOT business_field="Results"

and do not use more the field command.

Ciao.

Giuseppe

REMOVE AN EXTRA FIELD

field extraction

fields

regex

rex

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!