Splunk Search

How to only keep _time and _raw fields in the search results?

karan1337
Path Finder

I wish to keep only _time and _raw fields in the export output file. I read in the documentation that | fields - _* removes all internal fields, but how can i keep only internal specific fields in the output?

Also, when i use table i get _indextime and without it, i only see _time. Why is there a distinction between the fields i see in the same output when table or fields is used? The _time is in "2015-07-06 01:48:09.118 GMT" format whereas _indextime is in epoch format. How can i convert _time into equivalent epoch time?

Tags (4)
0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Be aware there are more differences between table and fields then just the stripping away of internal fields. Mainly related to statistically functions and reporting, but do note it can break searches..

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Table
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Fields

Use table command when you want to retain data in tabular format. The table command can be used to build a scatter plot to show trends in the relationships between discrete values of your data. Otherwise, you should not use it for charts (such as chart or timechart) because the UI requires the internal fields (which are the fields beginning with an underscore, _*) to render the charts, and the table command strips these fields out of the results by default. Instead, you should use the fields command because it always retains all the internal fields.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi karan1337,

you can this run everywhere search:

index=_internal | table _time _raw

and will only get _time and _raw in the output. _time is always epoch, but the UI will convert it to human readable time.
The distinction between the table and fields is that, table only keeps the provided fields where as fields keeps the internal fields as well.

Hope that helps ...

cheers, MuS

karan1337
Path Finder

@MuS What is index=_internal?

0 Karma

MuS
SplunkTrust
SplunkTrust

esix_splunk
Splunk Employee
Splunk Employee

_internal is the Splunk internal indexed, used for internal logging of metrics, errors, logins, search history, etc.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...