Splunk® Cloud Services

SPL2 Search Reference

fields command examples

The following are examples for using the SPL2 fields command. To learn more about the fields command, see How the SPL2 fields command works.

1. Specify a list of fields to include in the search results

Return only the host and src fields from the search results.

... | fields host, src


2. Specify a list of fields to remove from the search results

Use the negative ( - ) symbol to specify which fields to remove from the search results. In this example, remove the host and ip fields from the results.

... | fields - host, ip


3. Remove all internal fields from the search results

Internal fields are returned by default. All internal fields begin with an underscore character, for example _time. Use a wild card character ( * ) after the underscore to specify all internal fields. This example keep only the host and ip fields, and remove all of the internal fields.

... | fields host, ip | fields - '_*'


4. Remove specific internal fields from the search results

Remove unwanted internal fields from the results. The fields to exclude are _raw, _indextime, _sourcetype, _subsecond, and _serial.

| from _internal where sourcetype="splunkd" | head 5 | fields - _raw, _indextime, _sourcetype, _subsecond, _serial


5. Store the results in a KV lookup dataset

Keep the host and ip fields. Remove all internal fields from the search results. Store the results in a KV lookup dataset.

...| fields host, ip | fields - '_*' | into myKVlookup


6. Use a wildcard to specify multiple fields that start with a similar name

Keep only the fields source, sourcetype, host, and all fields that begin with error. Because a wildcard is used, the field name must be enclosed in single quotation marks.

... | fields source, sourcetype, host, 'error*'

7. Pipeline examples

The following examples show how to use the fields command remove fields in from a pipeline.

Dropping fields in a pipeline

This example extracts the log message number in the _raw field. The numbers are copied into a field named msg_num. The fields command is used to drop the _raw field and then the data is sent to an existing index named cisco_msg_num. 

$pipeline = | from $source  
| rex field=_raw /(?P<msg_num>(%ASA|%FTD)-\d+-\d+)/
| fields - _raw
| eval index="cisco_msg_num"
| into $destination

Filter data in a pipeline based on extracted fields

Suppose you want to filter data in Linux audit logs so that only audit logs that indicate failed login attempts remain. You must first extract the record types and result values from the logs with the rex command. Then filter extracted fields using the where command. Use the fields command to drop the RecordType and Result fields from the events before the data is sent to the destination. 

$pipeline = | from $source  ← Add this example
| rex field=_raw /type=(?P<RecordType>[A-Z_]+).*res=(?P<Result>\w+)/
| where RecordType = "USER_LOGIN"
| where Result = "failed"
| fields - RecordType, Result
| into $destination

See also

fields command
fields command overview
fields command syntax details
fields command usage
pipelines
Edge Processor pipeline syntax in the Use Edge Processors manual
Ingest Processor pipeline syntax in the Use Ingest Processors manual
Last modified on 27 August, 2024
fields command usage   fieldsummary command overview

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters