I would like to exclude certain fields from search results and keep the rest of the information (not discarding the event), so Splunk can send it to an email later on.
For example. Let's say I have the following event:
devname = foo , devid = uuid , msg = info
Then, I discard devname = foo
devid = uuid , msg = info
Finally, send configured event to email.
Is there a way to do this?
Try ... | fields - devname | ...
Hi Yaichael,
you can use either fields
or table
to specify the fields which should be used further in Splunk:
Your base search here | fields devid msg | do more stuff here
or
Your base search here | table devid msg | do more stuff here
The difference between fields
and table
is that table
only keeps those fields specified in a table format, where as fields
also provides fields like _time
and _raw
as well in the event set.
Hope this helps ...
cheers, MuS
Try ... | fields - devname | ...