Removing Fields

Description

The Eval Function can be used to add or remove fields. In this example we will remove the extracted fields while preserving _raw, _time,index,source, sourcetype.

Steps - Adding an Eval Function

important

Select the Add Functiontion button at the top right.
In the search bar, type eval, and select the Eval Function. It will be added at the bottom of the Pipeline.
In the new Eval Function, copy/paste the following into Keep fields:
```
_raw,_time,index,source,sourcetype
```
Add a wildcard (*) to the Remove Fields
```
*
```
Select Save.

Your new Function should look something like this: Remove1

Results

The red highlighted results on the right show the fields that will be removed.
Remove2

Basic Statistics

Finally, if you select the Basic Statistics icon (as earlier), you will see the huge reduction in your event sizes.
Remove3

Description​

Steps - Adding an Eval Function​

Results​

Basic Statistics​

Description

Steps - Adding an Eval Function

Results

Basic Statistics