if I have 20 columns on display in the stats tab view after my search, can I just remove the first 10? Instead of having to name all 10 for deletion?
So my search would look something like:
...search... | fields -1-10
Or better still can I delete all but the last 6?
you could use a "table" or explicitly list the fields with the "fields" command...
... search ... | table field11 field12 field13 field14 field15 field16
or
... search ... | fields field11 field12 field13 field14 field15 field16
you could use a "table" or explicitly list the fields with the "fields" command...
... search ... | table field11 field12 field13 field14 field15 field16
or
... search ... | fields field11 field12 field13 field14 field15 field16
Try it this way:
...search... | eval time = strftime(_time,"%y-%m-%d %H:%M") | table time field 11 field12
tks jim, that does the trick,
but if I have columns as follows; _time, field1, .... field11, field12 ....
and then I do: fields field11 field12
I get: field11, field12, _time
so to have _time as the leftmost column i have to do: fields _time field11 field12
which must be jsut how it works I guess?
Fields just selects the fields that are used for the search from the point forward, it's kind of a way to optimise the results (used quite extensively for summary indexing.)
Use the table command to order your fields...
... | table _time field1 field1* field2*
I prefer fields
table changes the time format to this which dosen't look as good on the x-axis
2015-04-29 14:00:00
using fields it stays as this
2015-04-29 13:00
Understand the difference between what these commands do in Splunk :
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Fields
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/table
Use fieldformat to change the format of the time field. Table provides the full value of the event for statistically operations.