Solved: Is there a shortcut to piping the table command wh...

morethanyell · ‎08-16-2018

Given that my search criteria is this: index=some_index sourcetype=some_sourcetype, is there a shortcut to piping the | table * command where splunk-created fields are automatically excluded? (Basically wanted to do this: | fields - _raw, _time, eventtype, host, index, sourcetype, source, linecount, splunk_server, splunk_server_group, timestamp, punct in the shortest possible way.

niketn · ‎08-16-2018

@morethanyell, you can create a macro for excluding Splunk's default fields and use that macro in your searches. for example your macro code can be | fields - _* date_* .....

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎08-16-2018

@morethanyell, you can create a macro for excluding Splunk's default fields and use that macro in your searches. for example your macro code can be | fields - _* date_* .....

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

morethanyell · ‎08-16-2018

@niketnilay The noob in me is slapping me. Thank you. I did not think of that.

niketn · ‎08-16-2018

@morethanyell there is always first time for everything 🙂 Now you know.

I have converted my comment to answer. Please accept to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Is there a shortcut to piping the table command where splunk-created fields are automatically excluded?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases