Splunk Search

Why does "| fields - _*" and "| fields - _raw,_time" give zero results?

Explorer

I've got a query that gives 178 results, and it ends with me filtering down to a single field, which by itself works fine.

| fields url

I then want to remove the internal fields, like _time and _raw, as I want to both export the data to csv with only this field, and I want to be able to do set intersect comparisons that only compare on the one field.

If I try piping this to fields to remove the internal fields, like either of the following, I get zero results

| fields url | fields - _*
| fields url | fields - _raw,_time

I've noticed that if I include _time in the fields parameter, that's when my results go to zero.

Any suggestions?

Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Just use table command instead of fields

your base search | table url 

This should only keep the field url without any _* fields.

View solution in original post

SplunkTrust
SplunkTrust

Just use table command instead of fields

your base search | table url 

This should only keep the field url without any _* fields.

View solution in original post

Explorer

Great! this does exactly what I want... Much appreciated!

0 Karma

Explorer

I'm using Splunk 6.3, which supports this feature supposedly.

0 Karma

Communicator

specify the fields you wants with

|fields your fields

The above will fetch only the fields you specified but not internal fields.

To eliminate just use |fields - _time, _raw .

Using the fields command twice is creating confusion for splunk process

thanks

0 Karma

Explorer

i tried that, but found that it doesn't work as expected... You can see here in the Splunk docs themselves, that they suggestion doing it like I was doing it above

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Fields

Keep only the host and ip fields.
Remove all of the internal fields. The
internal fields begin with an
underscore character, for example
_time.

... | fields host, ip | fields - _*

0 Karma