Reputation: 16352
How to exclude the time field from Sumo Logic results?
How do I exclude the Time (_messagetime) metadata field from my result set?
I've tried:
field -_messagetime
But it gives me the error
Field _messagetime not found, please check the spelling and try again.
Using:
fields -time
does not remove the field either.
Currently I'm getting around this by using an aggregate (count) that has no effect on the data.
[EDIT]
Here's an example query:
Removing the Message (_raw) works. But removing the time (_messagetime) doesn't.
These results are used as email alerts, so removing the Time field from the Display isn't really an option.
Upvotes: 3
Views: 4160
Answers (2)
Reputation: 616
The easiest way is to just turn off the field in the field browser window on the left-hand side of the results:
The other option is to aggregate and then remove the aggregate field - even if you just aggregate on _raw (which is the raw message):
_sourceCategory=blah
| count by _raw
| fields -_count
If you're still having trouble, can you share the rest of your query?
Edit based on your new query:
*
| parse "Description=\"*\"" as Description
| parse "Date=\"*\"" as Date
| count by Description, Date, Action
| fields -_count
Upvotes: 2
Reputation: 711
The Time field is there as a result of the timeslice operation as far as I'm aware. The following should do the trick
| fields - _timeslice
Upvotes: 0
Related Questions
- JPA CriteriaQuery compare Timestamp ignore time portion
- Sumologic query to show data by date
- Sumo, TraCI: How to set the simulation time?
- SUMO sim time and real time difference
- Strange behaviour of timeslice in Sumo Logic
- Is it possible to change the timestep of SUMO output?
- Solr, searching between times, ignoring dates
- I do not want to consider the time (00:00:00) aspect of a datetime pull in SQL
- Querying ignoring a time portion of TIMESTAMP fields along with JPA converter
- How can I suppress the time from date time field in TFS query results?