- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why does "| fields - _*" and "| fields - _raw,...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've got a query that gives 178 results, and it ends with me filtering down to a single field, which by itself works fine.
| fields url
I then want to remove the internal fields, like _time and _raw, as I want to both export the data to csv with only this field, and I want to be able to do set intersect comparisons that only compare on the one field.
If I try piping this to fields to remove the internal fields, like either of the following, I get zero results
| fields url | fields - _*
| fields url | fields - _raw,_time
I've noticed that if I include _time in the fields parameter, that's when my results go to zero.
Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just use table command instead of fields
your base search | table url
This should only keep the field url without any _* fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just use table command instead of fields
your base search | table url
This should only keep the field url without any _* fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great! this does exactly what I want... Much appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm using Splunk 6.3, which supports this feature supposedly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
specify the fields you wants with
|fields your fields
The above will fetch only the fields you specified but not internal fields.
To eliminate just use |fields - _time, _raw .
Using the fields command twice is creating confusion for splunk process
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i tried that, but found that it doesn't work as expected... You can see here in the Splunk docs themselves, that they suggestion doing it like I was doing it above
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Fields
Keep only the host and ip fields.
Remove all of the internal fields. The
internal fields begin with an
underscore character, for example
_time.... | fields host, ip | fields - _*
Data-Driven Success: Splunk & Financial Services
Video | Welcome Back to Smartness, Pedro
Detector Best Practices: Static Thresholds
