Splunk Dev

Can I select specified fields with the Python SDK?

anshanno
Path Finder

I'd like to write a python script to select only certain fields such as the UI does (example below) and load them into a pandas dataframe.

alt text

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Yes, just use the fields command in your search string:

...|fields Action bug_id Host User

View solution in original post

jkat54
SplunkTrust
SplunkTrust

Yes, just use the fields command in your search string:

...|fields Action bug_id Host User

anshanno
Path Finder

Awesome, thank you so much! I wasn't able to find this in the documentation.

EDIT: is there away to get rid of the extra garbage too, I am presuming something like ...|exclude fields yada yada?

Action,User,"b_Project",Host,"_bkt","_cd","_indextime","_kv","_raw","_serial","_si","_sourcetype","_subsecond","_time"

0 Karma

jkat54
SplunkTrust
SplunkTrust

It's ... | fields - thisOne thatOne

minus removes... plus adds / technically works too if you need to add a blank field, or if you just want to be verbose

... | fields + Action bug_id Host User
is same as
... | fields Action bug_id Host User

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...