3

How do I exclude the Time (_messagetime) metadata field from my result set?
I've tried:

field -_messagetime

But it gives me the error

Field _messagetime not found, please check the spelling and try again.

Using:

fields -time

does not remove the field either.

Currently I'm getting around this by using an aggregate (count) that has no effect on the data.

[EDIT] Here's an example query: enter image description here

Removing the Message (_raw) works. But removing the time (_messagetime) doesn't.

These results are used as email alerts, so removing the Time field from the Display isn't really an option.

Community
  • 1
  • 1
ilitirit
  • 16,016
  • 18
  • 72
  • 111
  • Hint that Message is actually _raw, was useful – Michael Freidgeim Feb 19 '21 at 21:56
  • I'm looking for the same answer. I'm trying to export the data as csv, and it keeps adding these hidden fields. You seem to have tried everything I've tried. Struggling with "_messagetime" and "_messagetimems" – Ryan Ore Apr 07 '21 at 00:07

2 Answers2

1

The easiest way is to just turn off the field in the field browser window on the left-hand side of the results:

click the Time field checkbox to get rid of it

The other option is to aggregate and then remove the aggregate field - even if you just aggregate on _raw (which is the raw message):

_sourceCategory=blah
| count by _raw
| fields -_count

If you're still having trouble, can you share the rest of your query?

Edit based on your new query:

*
| parse "Description=\"*\"" as Description
| parse "Date=\"*\"" as Date
| count by Description, Date, Action
| fields -_count
the-nick-wilson
  • 566
  • 4
  • 18
0

The Time field is there as a result of the timeslice operation as far as I'm aware. The following should do the trick | fields - _timeslice

Bracher
  • 651
  • 10
  • 24