fields command usage
Internal fields
The leading underscore is reserved for names of internal fields such as _raw and _time. By default, the internal fields _raw and _time are included in the search results. The fields command does not remove these internal fields unless you explicitly specify that the fields should not appear in the output.
For example, to remove all internal fields, you specify:
... | fields - _*
To exclude a specific field, such as _raw, you specify:
... | fields - _raw
Be cautious removing the _time field. Statistical commands, such as timechart, cannot display date or time information without the _time field.
Differences between SPL and SPL2
List of fields must be comma-delimited
The list of fields must be comma-delimited. Otherwise a parsing error is returned. Because the include operator ( + ) is the default, it is not shown in these examples.
| Version | Example 1 |
|---|---|
| SPL | ... fields userId ip |
| SPL2 | ... fields userId, ip |
Command options must be specified first
Command options must be specified before command arguments. The exclude and include operators are command options.
| Version | Example 1 |
|---|---|
| SPL | ... fields - host src |
| SPL2 | ... fields - host, src |
Field names with special character must be in single quotes
Field names that contain anything other than a-z, A-Z, 0-9, or underscore ( _ ), need to be enclosed in single quotation marks.
| Version | Example 1 |
|---|---|
| SPL | ... fields - "_*" host src |
| SPL2 | ... fields - '_*', host, src |
See also
- fields command
- fields command overview
- fields command examples
| fields command syntax details | fields command examples |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!