Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

how to remove few content from splunk output

avi123
Explorer
‎03-10-2025 03:15 AM

Hi All,

I have a splunk query giving results in this format:
Time                                                             Event
3/10/25 10:52:15.000 AM                 { [-]
                                                                         BCDA_AB_CD_01: 1
                                                                         BCAD_AB__02: 0
                                                                         BCDA_AB_DC: 1
                                                                         BCAD_CD_02: 0
                                                                        }

However I want to remove the BCAD_AB__02 and BCAD_CD_02 from the output. Please help me write a splunk query to exclude these two values from the output. I tried doing  | fields - BCAD_AB__02 BCAD_CD_02 
but this didn't work

Labels (1)
Labels
Tags (1)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-10-2025 07:55 AM

Hi @avi123 

How about this?

You can remove the fields as you are doing, then do | tojson

livehybrid_0-1741618484879.png

 

Here is a sample SPL

| makeresults 
| eval _raw=json_extract("{\"BCDA_AB_CD_01\": 1, \"BCAD_AB__02\": 0, \"BCDA_AB_DC\": 1, \"BCAD_CD_02\": 0}","")
| spath input=_raw
| fields - BCAD_CD_02 BCAD_AB__02
| tojson

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2025 03:17 AM

Hi @avi123 ,

could you share the search and the field names you're using ?

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...