Which command is used to take away a field from th...

splunkerkanaka · ‎08-06-2017

Is there a specific command that we use to take away a field from the results displayed?

DalJeanis · ‎08-06-2017

There are two ways to do that, and they have different effects -

| fields - myfield
| fields + keepfield1 keepfield2 ... keepfieldX

The fields command is a distributable, streaming command. The first one removes myfield, the second one removes all fields except the listed ones, but also leaves the internal fields like _time. There is no limit on the number of records that can pass through the fields command.

** TABLE **

| table keepfield1 keepfield2 ... keepfieldX

The table command is NOT a streaming command, it is a transforming command. It keeps only the listed fields, deleting all internal fields that aren't listed, and formats the result as a table. WARNING - Table has a limit to the number of results it puts out.

niketn · ‎08-06-2017

@splunkerkanaka, it should be | fields - <YourFieldToBeRemoved>
Refer to documentation on fields command: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fields

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Which command is used to take away a field from the results display?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...