Splunk® Enterprise

Search Reference

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

fields

Description

Keeps or removes fields from search results based on the field list criteria.

By default, the internal fields _raw and _time are included in output in Splunk Web. Additional internal fields are included in the output with the outputcsv command. See Usage.

Syntax

fields [+|-] <wc-field-list>

Required arguments

<wc-field-list>
Syntax: <field>, <field>, ...
Description: Comma-delimited list of fields to keep or remove. You can use the asterisk ( * ) as a wildcard to specify a list of fields with similar names. For example, if you want to specify all fields that start with "value", you can use a wildcard such as value*.

Optional arguments

+ | -
Syntax: + | -
Description: If the plus ( + ) symbol is specified, only the fields in the wc-field-list are kept in the results. If the negative ( - ) symbol is specified, the fields in the wc-field-list are removed from the results.
Default: +

Usage

The fields command is a distributable streaming command. See Command types.

Internal fields and Splunk Web

The leading underscore is reserved for names of internal fields such as _raw and _time. By default, the internal fields _raw and _time are included in the search results in Splunk Web. The fields command does not remove these internal fields unless you explicitly specify that the fields should not appear in the output in Splunk Web.

For example, to remove all internal fields, you specify:

... | fields - _*

To exclude a specific field, such as _raw, you specify:

... | fields - _raw

Be cautious removing the _time field. Statistical commands, such as timechart and chart, cannot display date or time information without the _time field.

Displaying internal fields in Splunk Web

Other than the _raw and _time fields, internal fields do not display in Splunk Web, even if you explicitly specify the fields in the search. For example, the following search does not show the _bkt field in the results.

index=_internal | head 5 | fields + _bkt | table _bkt

To display an internal field in the results, the field must be copied or renamed to a field name that does not include the leading underscore character. For example:

index=_internal | head 5 | fields + _bkt | eval bkt=_bkt | table bkt

Internal fields and the outputcsv command

When the outputcsv command is used in the search, there are additional internal fields that are automatically added to the CSV file. The most common internal fields that are added are:

  • _raw
  • _time
  • _indextime


To exclude internal fields from the output, specify each field that you want to exclude. For example:

... | fields - _raw _indextime _sourcetype _serial | outputcsv MyTestCsvFile

You cannot match wildcard characters in searches that use the fields command

You can use the asterisk ( * ) in your searches as a wildcard character, but you can't use a backslash ( \ ) to escape an asterisk in search strings. A backslash\ and an asterisk * match the characters \* in searches, not an escaped wildcard * character. Because Splunk platform doesn't support escaping wildcards, asterisk ( * ) characters in field names can't be matched in searches that keep or remove fields from search results.

Support for backslash characters ( \ ) in the fields command

To match a backslash character ( \ ) in a field name when using the fields command, use 2 backslashes for each backslash. For example, to display fields that contain http:\\, use the following command in your search:

... | fields http:\\\\*

See Backslashes in the Search Manual.

Examples

Example 1:

Remove the host and ip fields from the results

... | fields - host, ip

Example 2:

Keep only the host and ip fields. Remove all of the internal fields. The internal fields begin with an underscore character, for example _time.

... | fields host, ip | fields - _*

Example 3:

Remove unwanted internal fields from the output CSV file. The fields to exclude are _raw_indextime, _sourcetype, _subsecond, and _serial.

index=_internal sourcetype="splunkd" | head 5 | fields - _raw, _indextime, _sourcetype, _subsecond, _serial | outputcsv MyTestCsvfile

Example 4:

Keep only the fields source, sourcetype, host, and all fields beginning with error.

... | fields source, sourcetype, host, error*

See also

rename, table

Last modified on 06 October, 2023
fieldformat   fieldsummary

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters