This topic describes how to use the function in the .
Keeps or removes fields from your data based on the field list criteria.
Function Input/Output Schema
- Function Input
- This function takes in collections of records with schema R.
- Function Output
- This function outputs the same collection of records but with a different schema S.
The required fields are in bold font.
- fields [+|-] <field_list>
- Syntax: <field>, <field>, ...
- Description: Comma-delimited list of fields to keep or remove. You can use a wild card character in the field names, but must enclose those field names in single quotation marks.
- Example in Canvas View: host, source, body
- Syntax: + | -
- Description: If the plus sign ( + ) is specified, only the fields in the
field_listare kept in the results. If the minus sign ( - ) is specified, the fields in the
field_listare removed from the results. The symbol you specify applies to all of the fields in the
- Default: +
- Example in Canvas View: -
Examples of common use cases follow. The following examples assume that you are in the SPL View.
When working in the SPL View, you can write the function by using the syntax shown in each use case.
1. Specify a list of fields to keep in your records
Return only the
... | fields host, source, body | ...
2. Specify a list of fields to remove from your records
Use the minus sign ( - ) to specify which fields to remove from your incoming records. This example removes the
host field from the records:
... | fields - host | ...
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0, 1.2.0, 1.2.1