fields
fields
Synopsis
Keeps or removes fields from search results.
Syntax
fields [+|-] <wc-field-list>
Required arguments
- <wc-field-list>
- Syntax: <string>, ...
- Description: Comma-delimited list of fields to keep (+) or remove (-); can include wildcards.
Description
Keeps (+) or removes (-) fields based on the field list criteria. If + is specified, only the fields that match one of the fields in the list are kept. If - is specified, only the fields that match one of the fields in the list are removed.
Without either + or -, it is the equivalent to calling with + and adding _* to the list -- that is, "fields x, y" is the same as "fields + x, y, _*".
Important: The leading underscore is reserved for all internal Splunk field names, such as _raw and _time. By default, internal fields _raw and _time are included in output. The fields command does not remove internal fields unless explicitly specified with:
... | fields - _*
or more explicitly, with:
... | fields - _raw,_time
Note: DO NOT remove the _time field when you pipe results to statistical commands.
Examples
Example 1: Remove the "host" and "ip" fields.
... | fields - host, ipExample 2: Keep only the "host" and "ip" fields, and display them in the order: "host", "ip". Note that this also removes the internal fields, which begin with an underscore (such as _time).
... | fields host, ip | fields - _*Example 3: Keep only the fields 'source', 'sourcetype', 'host', and all fields beginning with 'error'.
... | fields source, sourcetype, host, error*See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the fields command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.