project-away
This page explains how to use the project-away operator function in APL.
The
Run in Playground
Run in Playground
project-away operator in APL is used to exclude specific fields from the output of a query. This operator is useful when you want to return a subset of fields from a dataset, without needing to manually specify every field you want to keep. Instead, you specify the fields you want to remove, and the operator returns all remaining fields.
You can use project-away in scenarios where your dataset contains irrelevant or sensitive fields that you do not want in the results. It simplifies queries, especially when dealing with wide datasets, by allowing you to filter out fields without having to explicitly list every field to include.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.Splunk SPL users
Splunk SPL users
In Splunk SPL, you use the
fields command to remove fields from your results. In APL, the project-away operator provides a similar functionality, removing specified fields while returning the remaining ones.ANSI SQL users
ANSI SQL users
In SQL, you typically use the
SELECT statement to explicitly include fields. In contrast, APL’s project-away operator allows you to exclude fields, offering a more concise approach when you want to keep many fields but remove a few.Usage
Syntax
Parameters
FieldName: The field you want to exclude from the result set.
Returns
Theproject-away operator returns the input dataset excluding the specified fields. The result contains the same number of rows as the input table.
Use case examples
In log analysis, you might want to exclude unnecessary fields to focus on the relevant fields, such as timestamp, request duration, and user information.QueryRun in PlaygroundOutput
The query removes the
| _time | req_duration_ms | id | geo.city | geo.country |
|---|---|---|---|---|
| 2023-10-17 10:23:00 | 120 | u1 | Seattle | USA |
| 2023-10-17 10:24:00 | 135 | u2 | Berlin | Germany |
status, uri, and method fields from the output, keeping the focus on the key fields.Wildcard
Wildcard refers to a special character or a set of characters that can be used to substitute for any other character in a search pattern. Use wildcards to create more flexible queries and perform more powerful searches. The syntax for wildcard can either bedata* or ['data.fo']*.
Here’s how you can use wildcards in project-away:
List of related operators
- project: The
projectoperator lets you select specific fields to include, rather than excluding them. - extend: The
extendoperator is used to add new fields, whereasproject-awayis for removing fields. - summarize: While
project-awayremoves fields,summarizeis useful for aggregating data across multiple fields.