How to remove the VALUE attached to a word with _ ...

coleman07 · ‎09-20-2012

I have the following search string which I use to create a line chart:

....| timechart span=1d sum(kb) by series

The results and the graph show VALUE_internal and VALUE_audit. I just want _internal and _audit. How do I remove the VALUE so my results are less confusing?

Thanks.

melting · ‎09-20-2012

Fields with a leading "_" (underscore) are hidden fields. I would guess this is why the "VALUE" is prepended to this field is so it would not stay hidden. You could use the rename command, but you would have to choose something that is not preceded with an underscore.

| rename VALUE_audit as -audit

coleman07 · ‎09-20-2012

VALUE is getting appended to _internal and _audit. I ran the following search command and got the following output:

index=_internal source=metrics.log group=per_index_thruput series!=summary | count by series -- this shows _metric and _internal. When I run this thru timechart as above, VALUE is appended - try it.

sdaniels · ‎09-20-2012

Hard to understand exactly what you are looking for. Are the x & Y access titles showing this? Or is this actual values that are displayed in the legend?

You can use eval with the trim function to remove VALUE off of your field values like this:

| eval myField = trim(series , "VALUE") | timechart span=1d sum(kb) by myField

How to remove the VALUE attached to a word with _ before the name

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life