Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I delete the first 10 columns from a search?

HattrickNZ
Motivator
‎04-29-2015 05:12 PM

if I have 20 columns on display in the stats tab view after my search, can I just remove the first 10? Instead of having to name all 10 for deletion?

So my search would look something like:

...search... | fields -1-10

Or better still can I delete all but the last 6?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jimodonald
Contributor
‎04-29-2015 06:04 PM

you could use a "table" or explicitly list the fields with the "fields" command...

... search ... | table field11 field12 field13 field14 field15 field16

or

... search ... | fields field11 field12 field13 field14 field15 field16

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jimodonald
Contributor
‎04-29-2015 06:04 PM

you could use a "table" or explicitly list the fields with the "fields" command...

... search ... | table field11 field12 field13 field14 field15 field16

or

... search ... | fields field11 field12 field13 field14 field15 field16

0 Karma
Reply
Solved! Jump to solution

PPape
Contributor
‎04-30-2015 12:44 AM

Try it this way:

...search... | eval time = strftime(_time,"%y-%m-%d %H:%M") | table time field 11 field12

0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎04-29-2015 06:42 PM

tks jim, that does the trick,

but if I have columns as follows; _time, field1, .... field11, field12 ....

and then I do: fields field11 field12

I get: field11, field12, _time

so to have _time as the leftmost column i have to do: fields _time field11 field12

which must be jsut how it works I guess?

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎04-29-2015 07:06 PM

Fields just selects the fields that are used for the search from the point forward, it's kind of a way to optimise the results (used quite extensively for summary indexing.)

Use the table command to order your fields...

... | table _time field1 field1* field2*
0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎04-29-2015 07:17 PM

I prefer fields

table changes the time format to this which dosen't look as good on the x-axis
2015-04-29 14:00:00

using fields it stays as this
2015-04-29 13:00

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎04-29-2015 07:35 PM

Understand the difference between what these commands do in Splunk :

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Fields

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/table

Use fieldformat to change the format of the time field. Table provides the full value of the event for statistically operations.

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...