1/5/2024 0 Comments Splunk join documentationIndex=_internal | head 5 | fields + _bkt | table _bkt For example, the following search does not show the _bkt field in the results. Other than the _raw and _time fields, internal fields do not display in Splunk Web, even if you explicitly specify the fields in the search. Statistical commands, such as timechart and chart, cannot display date or time information without the _time field. To exclude a specific field, such as _raw, you specify:īe cautious removing the _time field. The fields command does not remove these internal fields unless you explicitly specify that the fields should not appear in the output in Splunk Web.įor example, to remove all internal fields, you specify: By default, the internal fields _raw and _time are included in the search results in Splunk Web. The leading underscore is reserved for names of internal fields such as _raw and _time. The fields command is a distributable streaming command. If the negative ( - ) symbol is specified, the fields in the wc-field-list are removed from the results. Optional arguments + | - Syntax: + | - Description: If the plus ( + ) symbol is specified, only the fields in the wc-field-list are kept in the results. For example, if you want to specify all fields that start with "value", you can use a wildcard such as value*. You can use the asterisk ( * ) as a wildcard to specify a list of fields with similar names. Description: Comma-delimited list of fields to keep or remove. Additional internal fields are included in the output with the outputcsv command. Keeps or removes fields from search results based on the field list criteria.īy default, the internal fields _raw and _time are included in output in Splunk Web.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |