- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which command is used to take away a field from the results display?
Is there a specific command that we use to take away a field from the results displayed?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are two ways to do that, and they have different effects -
| fields - myfield
| fields + keepfield1 keepfield2 ... keepfieldX
The fields command is a distributable, streaming command. The first one removes myfield, the second one removes all fields except the listed ones, but also leaves the internal fields like _time. There is no limit on the number of records that can pass through the fields command.
| table keepfield1 keepfield2 ... keepfieldX
The table command is NOT a streaming command, it is a transforming command. It keeps only the listed fields, deleting all internal fields that aren't listed, and formats the result as a table. WARNING - Table has a limit to the number of results it puts out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@splunkerkanaka, it should be | fields - <YourFieldToBeRemoved>
Refer to documentation on fields command: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fields
| makeresults | eval message= "Happy Splunking!!!"
