All DSP releases prior to DSP 1.4.0 use Gravity, a Kubernetes orchestrator, which has been announced end-of-life. We have replaced Gravity with an alternative component in DSP 1.4.0. Therefore, we will no longer provide support for versions of DSP prior to DSP 1.4.0 after July 1, 2023. We advise all of our customers to upgrade to DSP 1.4.0 in order to continue to receive full product support from Splunk.
Fields
This topic describes how to use the function in the .
Description
The Fields function keeps or removes fields from your data based on the field list criteria.
Function Input/Output Schema
- Function Input
collection<record<R>>
- This function takes in collections of records with schema R.
- Function Output
collection<record<S>>
- This function outputs the same collection of records but with a different schema S.
Syntax
The required fields are in bold font.
- fields [+|-] <field_list>
Required arguments
- field_list
- Syntax: <field>, <field>, ...
- Description: Comma-delimited list of fields to keep or remove. You can use a wild card character in the field names, but must enclose those field names in single quotation marks.
- Example in Canvas View: host, source, body
Optional arguments
- operator
- Syntax: + | -
- Description: If the plus sign ( + ) is specified, only the fields in the
field_list
are kept in the results. If the minus sign ( - ) is specified, the fields in thefield_list
are removed from the results. The symbol you specify applies to all of the fields in thefield_list
. - Default: +
- Example in Canvas View: -
Examples
Examples of common use cases follow. These examples assume that you have added the function to your pipeline.
1. SPL2 Example: Specify a list of fields to keep in your records
This example assumes that you are in the SPL View.
Return only the host
, source
, and body
fields.
... | fields host, source, body | ...
2. SPL2 Example: Specify a list of fields to remove from your records
This example assumes that you are in the SPL View.
Use the minus sign ( - ) to specify which fields to remove from your incoming records. This example removes the host
field from the records:
... | fields - host | ...
Extract Timestamp | From |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0, 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6
Feedback submitted, thanks!