Hi,
I want to remove source and source type field value of
Unix:Service
Unix:Uptime
Unix:Version
package
ps
Please help me, how to remove the mentioned field.
Screenshot is attached
index=linux*
NOT (sourcetype = "Unix:Service" OR sourcetype = "Unix:Uptime" OR sourcetype = "Unix:Version" OR sourcetype = "package" OR sourcetype = "ps")
NOT (source = "Unix:Service" OR source = "Unix:Uptime" OR source = "Unix:Version" OR source = "package" OR source = "ps")
| stats max(_time) .... REST OF QUERY HERE
Let me know if that's what you need
If by "remove" you intend to delete the data from the Splunk index, then it can't be done. Data in Splunk cannot be modified.
On the other hand, you may be wanting to not show certain fields. That is done with the fields
command.
... | field - Unix:Service Unix:Uptime Unix:Version package ps
index=linux*
NOT (sourcetype = "Unix:Service" OR sourcetype = "Unix:Uptime" OR sourcetype = "Unix:Version" OR sourcetype = "package" OR sourcetype = "ps")
NOT (source = "Unix:Service" OR source = "Unix:Uptime" OR source = "Unix:Version" OR source = "package" OR source = "ps")
| stats max(_time) .... REST OF QUERY HERE
Let me know if that's what you need
Thanks, I got the answer for the same query.
Try this
index=linux* NOT (sourcetype=UNIX* OR source=UNIX*) | stats latest(_time) as last_time by host source sourcetype | ....