In SQL-speak, "how to specify the columns in SELECT
clause"? Normally, Splunk does the equivalent of SELECT *
, which might not be wanted.
Say you want only field foo
.
In 3.x, ... | FIELDS + foo
In 4.x, ... | FIELDS foo | FIELDS - _*
Say you want only field foo
.
In 3.x, ... | FIELDS + foo
In 4.x, ... | FIELDS foo | FIELDS - _*
if the fileds has values like filed=0, field=1 etc.. how can i filter this filed which has values greater than 1
Hi @Rajpranar,
This is a lovely thread, but it's 14 years old. Asking a new, unanswered question will help you get an answer more quickly.
You can use the greater than operator in field expressions:
field>1
See https://docs.splunk.com/Documentation/Splunk/latest/Search/Fieldexpressions.
If you need to compare the value of two fields, use the where command:
| where field2>field1
Thanks @tscroggins i did post a new question..
How to filter a field from the log where the values change for example please see below,
logfile =(result1=0 result2=5 result3=10 result4=14) at 5AM
logfile =(result1=8 result2=5 result3=10 result4=14) at 5:10Am
logfile =(result1=4 result2=5 result3=10 result4=14) at 5:20Am
logfile =(result1=3 result2=5 result3=10 result4=14) at 5:30Am
i want query to return result and show when result1 is greater than 5, please help
Current state im at =index=indexname | search sourcetype=eventname "result1=5" gives results but if i do
index=indexname | search sourcetype=eventname "result1> 4" returns nothing
_* refers to the reserved (a.k.a. "internal") fields such as _time.
So it seems to read "I want foo, and I don't want any internal fields".
The explanation at http://www.splunk.com/base/Documentation/latest/SearchReference/Fields might make more sense to you.
what does the _* in the 4.x string mean? Why the underscore?