Keeps (+) or removes (-) fields from search results based on the field list criteria. If + is specified, only the fields that match one of the fields in the list are kept. If - is specified, only the fields that match one of the fields in the list are removed. If neither is specified, defaults to +.
By default, the internal fields
_raw and _time are included in output in Splunk Web. Additional internal fields are included in the output with the
outputcsv command. See Usage.
fields [+|-] <wc-field-list>
- Syntax: <string>, <string>, ...
- Description: Comma-delimited list of fields to keep (+) or remove (-). You can use wild card characters in the field names.
Internal fields and Splunk Web
The leading underscore is reserved for names of internal fields such as
_time. By default, the internal fields
_time are included in the search results in Splunk Web. The
fields command does not remove these internal fields unless you explicitly specify that the fields should not appear in the output in Splunk Web. For example:
... | fields - _*
To exclude a specific field, such as
_raw, you specify:
... | fields - _raw
Be cautious removing the
_time field. Statistical commands, such as
chart, cannot display date or time information without the
_time fields, other internal fields do not display in Splunk Web, even if you explicitly specify the fields in the search. For example, the following search does not show the
_bkt field in the results.
index=_internal | head 5 | fields + _bkt | table _bkt
To display an internal field in the results, the field must be copied or renamed to a field name that does not include the leading underscore character. For example:
index=_internal | head 5| fields + _bkt | eval bkt=_bkt | table bkt
Internal fields and the
outputcsv command is used in the search, there are additional internal fields that are automatically added to the CSV file. The internal fields, in addition to
_time, that are added to the output in the CSV file are:
To exclude these internal fields from the output, use the
fields command. For example:
... | fields - _indextime _sourcetype _subsecond _serial | outputcsv MyTestCsvFile
ip fields from the results
... | fields - host, ip
Keep only the
ip fields. Remove all of the internal fields. The internal fields begin with an underscore character, for example
... | fields host, ip | fields - _*
Exclude unwanted internal fields from the output CSV file. The fields to exclude are
index=_internal sourcetype="splunkd" | head 5 | fields _raw _time | fields - _indextime _sourcetype _subsecond _serial | outputcsv MyTestCsvfile
Keep only the fields
host, and all fields beginning with
... | fields source, sourcetype, host, error*
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the fields command.
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0