Solved: Why can't I remove fields created by doing transpo...

woodcock · ‎06-12-2015

Why does this not work (v6.2.3)?

index=* | stats count by host | transpose | transpose  | fields - row*

The work-around is that this does work, but it reorders the fields (very undesirable):

index=* | stats count by host | transpose | transpose  | table * | fields - row*

I am pretty sure this is a bug but I thought I would ask before opening a case.

martin_mueller · ‎06-12-2015

Opening a case is a good idea nonetheless, removing field values without removing the field names from the table should not happen in any scenario.

Until then, here's a nicer workaround that should not have any real drawbacks:

... | foreach row* [fields - "<<FIELD>>"]

View solution in original post

martin_mueller · ‎06-12-2015

Opening a case is a good idea nonetheless, removing field values without removing the field names from the table should not happen in any scenario.

Until then, here's a nicer workaround that should not have any real drawbacks:

... | foreach row* [fields - "<<FIELD>>"]

martin_mueller · ‎06-21-2015

The problem here is that you're using fieldformat in the middle of a search. Using that there makes no sense because it only changes the rendering of a field, not the value itself. Hence it has no use for the search as a whole, considering the Week value is not being displayed after the final stats.

It's a bit understandable that the empty Week column header is still displayed despite the field being kicked out - your fieldformat has "deposited" orders on how to render a field when it's being displayed, so the UI displays the field according to those orders. It can't expect that it has custom orders on how to render a field that's not even displayed, because that would make no sense.

woodcock · ‎06-12-2015

Sweet; why didn't i think of that?

CASE [247138] : The "fields" command cannot remove "row*" fields created by "transpose" command

woodcock · ‎06-20-2015

I found another example for which the "tables *" workaround does not
work. Try this run-anywhere version:

index=_internal| eval Week=relative_time(_time, "@w1") | fieldformat Week = strftime(Week, "%d/%m/%y:%a")| stats count by host Week | stats sum(MAX) as Total by host | table * | fields - Week

martin_mueller · ‎06-12-2015

To avoid using table, you could replace fields - row* with fields column.
Not quite sure what you're talking about concerning reordering, considering there's only going to be one field left called column after removing all the row* fields.

What are you actually trying to achieve by transposing twice? It seems the fields - row* weirdness happens when transposing only once as well, I'm seeing the content being removed but the field names still being there.

woodcock · ‎06-12-2015

I boiled it down to a simple run-anywhere example that implied some things it shouldn't have. My actual situation (a macro) can have many more fields (so the | table * solution is unsatisfactory because it sorts the fields alphabetically) and is generic (so I do not know how many fields I have or what their names will be) so the | fields + keepfields also will not work. I am going to open a case.

Why can't I remove fields created by doing transpose twice?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!