Splunk Search

remove column name from |table result

Chubbybunny
Splunk Employee
Splunk Employee

I have a search that provides a table result:

host="host1" index="main" | head 1 | table index host

Is it possible to remove or ommit the column name from the result?

I've tried:

host="host1" index="main" | head 1 | rename host AS NULL, index AS NULL | table NULL NULL

any carrots for the Chubbybunny?

(\__/)
(='.'=)
(")_(")
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

Don't ask for a field if you just plan to exclude it. I've tried to do this, and, AFAIK, there isn't a way to do this successfully. You'll always end up with a header, and presuming you're trying to export these results into something else, you'll end up with trouble. Just duplicate the search and leave the field off, save yourself a headache on the other side of things.

View solution in original post

jbsplunk
Splunk Employee
Splunk Employee

Don't ask for a field if you just plan to exclude it. I've tried to do this, and, AFAIK, there isn't a way to do this successfully. You'll always end up with a header, and presuming you're trying to export these results into something else, you'll end up with trouble. Just duplicate the search and leave the field off, save yourself a headache on the other side of things.

lguinn2
Legend

This is a kludge, but it might work.

host="host1" index="main" | head 1 | 
fields - _raw _time |
fields + host index |
rename host AS " ", index AS "   " 

When this search runs, I think that the Table view button will show you what you want. It will still have a header area, but it should be blank.

I think there are easier ways, though, if you want to put this in a dashboard....

atulod1
New Member

if ever 2 data in one field and they are Domain_Name = Domestic_Dev and Domain_Name = Domestic_QA I want to remove the Domain_Name =Domestic_QA

0 Karma

dshpritz
SplunkTrust
SplunkTrust

You should be able to use the fields command:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fields

So to omit the "carrots" field:

host="host1" index="main" | head 1 | table index host | fields - carrots

HTH

Dave

lguinn2
Legend

That will omit the field AND the header. I think the bunny just wants to omit the header.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...