Solved: Re: Transpose and Timechart giving unnecessary fie...

jofermin · ‎08-02-2017

After I transpose my timechart, I'm getting 3 fields under my Column that I want to get rid of: _span, _spandays, and _time. It looks like this:

column | row 1 | row 2
_time | ### | ###
... | .... | ...
_span |
_spandays|

Is there a way to hide the rows or delete them?

I've tried using field - _span, but it doesn't work.

Here's my search:

| timechart limit=1000 span=3month dc(user) by Customer | transpose | fields - _span | rename column as Customer, "row 1" as "3 Months Before", "row 2" as "Latest 3 Months"

woodcock · ‎08-02-2017

Add this to the end:

| regex column!=("^_")

Or better yet add this before the transpose command:

| fields - _*

View solution in original post

cmerriman · ‎08-02-2017

you can do a |search column!=_* after transpose
or add |fields - _* before transpose

woodcock · ‎08-02-2017

Add this to the end:

| regex column!=("^_")

Or better yet add this before the transpose command:

| fields - _*

jofermin · ‎08-02-2017

Thanks, both work perfectly!

Transpose and Timechart giving unnecessary fields

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms