Solved: Transpose and Timechart giving unnecessary fields

jofermin · ‎08-02-2017

After I transpose my timechart, I'm getting 3 fields under my Column that I want to get rid of: _span, _spandays, and _time. It looks like this:

column | row 1 | row 2
_time | ### | ###
... | .... | ...
_span |
_spandays|

Is there a way to hide the rows or delete them?

I've tried using field - _span, but it doesn't work.

Here's my search:

| timechart limit=1000 span=3month dc(user) by Customer | transpose | fields - _span | rename column as Customer, "row 1" as "3 Months Before", "row 2" as "Latest 3 Months"

woodcock · ‎08-02-2017

Add this to the end:

| regex column!=("^_")

Or better yet add this before the transpose command:

| fields - _*

View solution in original post

cmerriman · ‎08-02-2017

you can do a |search column!=_* after transpose
or add |fields - _* before transpose

woodcock · ‎08-02-2017

Add this to the end:

| regex column!=("^_")

Or better yet add this before the transpose command:

| fields - _*

jofermin · ‎08-02-2017

Thanks, both work perfectly!

Transpose and Timechart giving unnecessary fields

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI