Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does "| fields - _*" and "| fields - _raw,_time" give zero results?

bradparks
Explorer
‎03-13-2017 07:30 AM

I've got a query that gives 178 results, and it ends with me filtering down to a single field, which by itself works fine.

| fields url

I then want to remove the internal fields, like _time and _raw, as I want to both export the data to csv with only this field, and I want to be able to do set intersect comparisons that only compare on the one field.

If I try piping this to fields to remove the internal fields, like either of the following, I get zero results

| fields url | fields - _*
| fields url | fields - _raw,_time

I've noticed that if I include _time in the fields parameter, that's when my results go to zero.

Any suggestions?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-13-2017 08:09 AM

Just use table command instead of fields 

your base search | table url

This should only keep the field url without any _* fields.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-13-2017 08:09 AM

Just use table command instead of fields 

your base search | table url

This should only keep the field url without any _* fields.

Reply
Solved! Jump to solution

bradparks
Explorer
‎03-13-2017 09:25 AM

Great! this does exactly what I want... Much appreciated!

0 Karma
Reply
Solved! Jump to solution

bradparks
Explorer
‎03-13-2017 07:56 AM

I'm using Splunk 6.3, which supports this feature supposedly.

0 Karma
Reply
Solved! Jump to solution

naidusadanala
Communicator
‎03-13-2017 08:10 AM

specify the fields you wants with

|fields your fields

The above will fetch only the fields you specified but not internal fields.

To eliminate just use |fields - _time, _raw .

Using the fields command twice is creating confusion for splunk process

thanks

0 Karma
Reply
Solved! Jump to solution

bradparks
Explorer
‎03-13-2017 09:26 AM

i tried that, but found that it doesn't work as expected... You can see here in the Splunk docs themselves, that they suggestion doing it like I was doing it above

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Fields

Keep only the host and ip fields.
Remove all of the internal fields. The
internal fields begin with an
underscore character, for example
_time.

... | fields host, ip | fields - _*

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...