Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

fields

Description

Keeps (+) or removes (-) fields from search results based on the field list criteria. If + is specified, only the fields that match one of the fields in the list are kept. If - is specified, only the fields that match one of the fields in the list are removed. If neither is specified, defaults to +.

By default, the internal fields _raw and _time are included in output in Splunk Web. Additional internal fields are included in the output with the outputcsv command. See Usage.

Syntax

fields [+|-] <wc-field-list>

Required arguments

<wc-field-list>
Syntax: <string>, <string>, ...
Description: Comma-delimited list of fields to keep (+) or remove (-). You can use wild card characters in the field names.

Usage

Internal fields and Splunk Web

The leading underscore is reserved for names of internal fields such as _raw and _time. By default, the internal fields _raw and _time are included in the search results in Splunk Web. The fields command does not remove these internal fields unless you explicitly specify that the fields should not appear in the output in Splunk Web. For example:

... | fields - _*

To exclude a specific field, such as _raw, you specify:

... | fields - _raw

Be cautious removing the _time field. Statistical commands, such as timechart and chart, cannot display date or time information without the _time field.

Besides the _raw and _time fields, other internal fields do not display in Splunk Web, even if you explicitly specify the fields in the search. For example, the following search does not show the _bkt field in the results.

index=_internal | head 5 | fields + _bkt | table _bkt

To display an internal field in the results, the field must be copied or renamed to a field name that does not include the leading underscore character. For example:

index=_internal | head 5| fields + _bkt | eval bkt=_bkt | table bkt

Internal fields and the outputcsv command

When the outputcsv command is used in the search, there are additional internal fields that are automatically added to the CSV file. The internal fields, in addition to _raw and _time, that are added to the output in the CSV file are:

  • _indextime
  • _serial
  • _sourcetype
  • _subsecond


To exclude these internal fields from the output, use the fields command. For example:

... | fields - _indextime _sourcetype _subsecond _serial | outputcsv MyTestCsvFile

Examples

Example 1:

Remove the host and ip fields from the results

... | fields - host, ip

Example 2:

Keep only the host and ip fields. Remove all of the internal fields. The internal fields begin with an underscore character, for example _time.

... | fields host, ip | fields - _*

Example 3:

Exclude unwanted internal fields from the output CSV file. The fields to exclude are _indextime, _sourcetype, _subsecond, and _serial.

index=_internal sourcetype="splunkd" | head 5 | fields _raw _time | fields - _indextime _sourcetype _subsecond _serial | outputcsv MyTestCsvfile

Example 4:

Keep only the fields source, sourcetype, host, and all fields beginning with error.

... | fields source, sourcetype, host, error*

See also

rename, table

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the fields command.

PREVIOUS
fieldformat
  NEXT
fieldsummary

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0


Comments

Can someone explain what the "keepcolorder" argument does for the fields command? It can be seen in the job inspector, especially when using datamodels. There does not seem to be any mention of its purpose in the documentation.

Rjthibod
February 18, 2016

if I have 20 columns on display in the stats tab view, can I just remove the first 10? Instead of having to name all 10 for deletion

HattrickNZ
April 29, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters