fields
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
fields
Synopsis
Keeps or removes fields from search results.
Syntax
fields [+|-] <wc-field-list>
Arguments
- <wc-field-list>
- Syntax: <string>, ...
- Description: Comma-delimited list of fields to keep (+) or remove (-); can include wildcards.
Description
Keeps (+) or removes (-) fields based on the field list criteria. If + is specified, only the fields that match one of the fields in the list are kept. If - is specified, only the fields that match one of the fields in the list are removed.
Without either + or -, it is the equivalent to calling with + and adding _* to the list -- that is, "fields x, y" is the same as "fields + x, y, _*".
Important: The leading underscore is reserved for all internal Splunk field names, such as _raw and _time. By default, internal fields _raw and _time are included in output. The fields command does not remove internal fields unless explicitly specified with:
... | fields - _*
or more explicitly, with:
... | fields - _raw,_time
Examples
Example 1: Remove the "host" and "ip" fields.
... | fields - host, ipExample 2: Keep only the "host" and "ip" fields, and display them in the order: "host", "ip". Note that this also removes the internal fields, which begin with an underscore (such as _time).
... | fields host, ip | fields - _*Example 3: Keep only the fields 'source', 'sourcetype', 'host', and all fields beginning with 'error'.
... | fields source, sourcetype, host, error*See also
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.