Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

REMOVE AN EXTRA FIELD

sphiwee
Contributor
‎10-19-2020 05:58 AM

i have regular expression that i use to extract the below words, but i dont want to show the Results fiels or column, how do i exclude it? 

 

Ive tried        | fields -Results  & it didnt work  

 

Isphiwee_0-1603112079235.png

 

Labels (4)
Labels
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎10-19-2020 07:11 AM

can you try below command after rex command and check if you see field business_field and value Results. if you don't see that means there could be white space added at starting or ending of Results value. 

| search business_field=* NOT business_field=Results
| stats count by business_field
| search business_field=*Results*

 you can try below to make sure there is white space.

| search business_field=* NOT business_field=Results
| stats count by business_field
| search business_field=*Results*

if above search works then you can try below in your actual search

| search business_field=* NOT business_field=*Results*

 

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎10-19-2020 07:11 AM

can you try below command after rex command and check if you see field business_field and value Results. if you don't see that means there could be white space added at starting or ending of Results value. 

| search business_field=* NOT business_field=Results
| stats count by business_field
| search business_field=*Results*

 you can try below to make sure there is white space.

| search business_field=* NOT business_field=Results
| stats count by business_field
| search business_field=*Results*

if above search works then you can try below in your actual search

| search business_field=* NOT business_field=*Results*

 

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎10-19-2020 06:54 AM

replace your search command just before timechart with below

 

| search business_field=* NOT business_field=Results

if you think you have got 100% matches for field business_field extracted using rex command the below search would be enough. no need to say business_field=* ( this is useful to ignore null values in events  if there are any events they are not matched  for regex and returned null values)

 

| search NOT business_field=Results​

 

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

sphiwee
Contributor
‎10-19-2020 07:04 AM

still not working 

sphiwee_0-1603116274868.png

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-19-2020 07:15 AM

Hi @sphiwee,

could you try to execute the last search in verbose mode?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎10-19-2020 06:11 AM

share your query to understand if Results appeared in chart  has derived from another field.

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

sphiwee
Contributor
‎10-19-2020 06:20 AM

sphiwee_0-1603113586356.png

Heres the query, i want to remove the far right field "Results"

0 Karma
Reply
Solved! Jump to solution

sphiwee
Contributor
‎10-19-2020 07:12 AM

here is my query @inventsekar 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-19-2020 06:04 AM

Hi @sphiwee,

put a space between - and the field name

| fields - Results

Ciao.

Giuseppe

Reply
Solved! Jump to solution

sphiwee
Contributor
‎10-19-2020 06:15 AM

Still not working

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-19-2020 06:31 AM

Hi @sphiwee,

sorry, I misunderstood!

Try adding to the last "search command" also

NOT business_field="Results"

 

P.S.: you don't need "AND" operator in search.

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution

sphiwee
Contributor
‎10-19-2020 06:38 AM

 

sphiwee_0-1603114675448.png

Still not working, now receiving an error

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-19-2020 07:09 AM

Hi @sphiwee whats your current search query? you can not use "business_field=Results" inside the fields command.

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-19-2020 06:59 AM

Hi @sphiwee,

sorry I wasn't clear, in your search replace 

| search business_field=* AND "status:COMPLETED"

 with

| search business_field=* "status:COMPLETED" NOT business_field="Results"

and do not use more the field command.

Ciao.

Giuseppe

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...