project-away operator
Select what columns from the input to exclude from the output.
Syntax
T | project-away
ColumnNameOrPattern [,
...]
Parameters
Name | Type | Required | Description |
---|---|---|---|
T | string | ✓ | Tabular input from which to remove columns. |
ColumnNameOrPattern | string | ✓ | Name of the column or column wildcard-pattern to be removed from the output. |
Returns
A table with columns that were not named as arguments. Contains same number of rows as the input table.
Tips
You can project-away
any columns that are present in the original table or that were computed as part of the query.
Note
The order of the columns in the result is determined by their original order in the table. Only the columns that were specified as arguments are dropped. The other columns are included in the result.
Examples
The input table events
has 12 columns. Project-away 2 columns the name
column and the payload
column you're left 10 columns
events
| project original_time, data_source_name, name
//--- Search for the last 5 minutes of data
| where original_time > ago(5m)
| project-away name, payload
//--- USER Criteria Here
| take 1
Results
The following table shows the returned columns without the specified columns.
original_time | data_source_name | data_source_type_name | user_id | low_level_categories | src_ip | src_port | dst_ip | dst_port | severity | event_uuid |
---|---|---|---|---|---|---|---|---|---|---|
2023-06-09T12:05:06.188Z |
|
|
|
10008 |
|
|
|
|
1 | 020905cd-635a-****-873d-******06 |
Project-away using a column name pattern
The following query removes columns specified by the wild card (before example).
events
| project-away *name, payload*, src*, dst*
| take 1
Results
Notice how the columns that are specified with the wild card string are removed.
original_time | user_id | low_level_categories | severity | event_uuid |
---|---|---|---|---|
2023-06-09T12:05:06.188Z |
|
10008 | 1 |
See also
- To choose what columns from the input to keep in the output, use project-keep.
- To rename columns, use
project-rename
. - To reorder columns, use
project-reorder
.