Fields

This topic describes how to use the function in the .

Description

The Fields function keeps or removes fields from your data based on the field list criteria.

Function Input/Output Schema

Function Input

collection<record<R>>

This function takes in collections of records with schema R.

Function Output

collection<record<S>>

This function outputs the same collection of records but with a different schema S.

Syntax

The required fields are in bold font.

fields [+|-] <field_list>

Required arguments

field_list

Syntax: <field>, <field>, ...

Description: Comma-delimited list of fields to keep or remove. You can use a wild card character in the field names, but must enclose those field names in single quotation marks.

Example in Canvas View: host, source, body

Optional arguments

operator

Syntax: + | -

Description: If the plus sign ( + ) is specified, only the fields in the field_list are kept in the results. If the minus sign ( - ) is specified, the fields in the field_list are removed from the results. The symbol you specify applies to all of the fields in the field_list.

Default: +

Example in Canvas View: -

Examples

Examples of common use cases follow. These examples assume that you have added the function to your pipeline.

1. SPL2 Example: Specify a list of fields to keep in your records

This example assumes that you are in the SPL View.

Return only the host, source, and body fields.

... | fields host, source, body | ...

2. SPL2 Example: Specify a list of fields to remove from your records

This example assumes that you are in the SPL View.

Use the minus sign ( - ) to specify which fields to remove from your incoming records. This example removes the host field from the records:

... | fields - host | ...