Ever do a search and get extra fields that you don't want to see in your reports? Here's how to get rid of those fields.
add "| fields - <fieldname>" to the search. Field names can also be separated by a comma.
index=main | fields - _raw, _time
This can work if you have fields missing and you want to add them to the report.
index=main | fields count, name, src_ip
And it works in conjunction with each other by adding a |.
index=main | fields count, name, src_ip | fields - _raw, time
Category:
—
GuardianMS
Guarding your IT Experience!
Add new comment