Splunk Search

remove column name from |table result

Chubbybunny
Splunk Employee
Splunk Employee

I have a search that provides a table result:

host="host1" index="main" | head 1 | table index host

Is it possible to remove or ommit the column name from the result?

I've tried:

host="host1" index="main" | head 1 | rename host AS NULL, index AS NULL | table NULL NULL

any carrots for the Chubbybunny?

(\__/)
(='.'=)
(")_(")
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

Don't ask for a field if you just plan to exclude it. I've tried to do this, and, AFAIK, there isn't a way to do this successfully. You'll always end up with a header, and presuming you're trying to export these results into something else, you'll end up with trouble. Just duplicate the search and leave the field off, save yourself a headache on the other side of things.

View solution in original post

jbsplunk
Splunk Employee
Splunk Employee

Don't ask for a field if you just plan to exclude it. I've tried to do this, and, AFAIK, there isn't a way to do this successfully. You'll always end up with a header, and presuming you're trying to export these results into something else, you'll end up with trouble. Just duplicate the search and leave the field off, save yourself a headache on the other side of things.

lguinn2
Legend

This is a kludge, but it might work.

host="host1" index="main" | head 1 | 
fields - _raw _time |
fields + host index |
rename host AS " ", index AS "   " 

When this search runs, I think that the Table view button will show you what you want. It will still have a header area, but it should be blank.

I think there are easier ways, though, if you want to put this in a dashboard....

atulod1
New Member

if ever 2 data in one field and they are Domain_Name = Domestic_Dev and Domain_Name = Domestic_QA I want to remove the Domain_Name =Domestic_QA

0 Karma

dshpritz
SplunkTrust
SplunkTrust

You should be able to use the fields command:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fields

So to omit the "carrots" field:

host="host1" index="main" | head 1 | table index host | fields - carrots

HTH

Dave

lguinn2
Legend

That will omit the field AND the header. I think the bunny just wants to omit the header.

Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...