I've got a query that gives 178 results, and it ends with me filtering down to a single field, which by itself works fine.
| fields url
I then want to remove the internal fields, like
_raw, as I want to both export the data to csv with only this field, and I want to be able to do
set intersect comparisons that only compare on the one field.
If I try piping this to fields to remove the internal fields, like either of the following, I get zero results
| fields url | fields - _* | fields url | fields - _raw,_time
I've noticed that if I include _time in the fields parameter, that's when my results go to zero.
specify the fields you wants with
|fields your fields
The above will fetch only the fields you specified but not internal fields.
To eliminate just use |fields - _time, _raw .
Using the fields command twice is creating confusion for splunk process
i tried that, but found that it doesn't work as expected... You can see here in the Splunk docs themselves, that they suggestion doing it like I was doing it above
Keep only the host and ip fields.
Remove all of the internal fields. The
internal fields begin with an
underscore character, for example
... | fields host, ip | fields - _*