This topic describes how to use the function in the Splunk Data Stream Processor.
Keeps or removes fields from your data based on the field list criteria.
Function Input/Output Schema
- Function Input
- This function takes in collections of records with schema R.
- Function Output
- This function outputs the same collection of records but with a different schema S.
The required fields are in bold font.
- fields [+|-] <field_list>
- + | -
- Syntax: + | -
- Description: If the plus ( + ) symbol is specified, only the fields in the
field_listare kept in the results. If the negative ( - ) symbol is specified, the fields in the
field_listare removed from the results. The symbol you specify applies to all of the fields in the
- Default: +
- Syntax: <field>, <field>, ...
- Description: Comma-delimited list of fields to keep or remove. You can use a wild card character in the field names, but must enclose those field names in single quotation marks.
Examples of common use cases follow:
1. Specify a list of fields to keep in your records
Return only the host, source, and body fields.
... | fields host, source, body | ...
2. Specify a list of fields to remove from your records
Use the negative ( - ) symbol to specify which fields to remove from your incoming records. In this example, remove the host field from the records.
... | fields - host | ...
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0, 1.2.0