Related Answers
Download topic as PDF
fields command examples
The following are examples for using the SPL2 fields command.
To learn more about the fields command, see How the fields command works.
1. Specify a list of fields to include in the search results
Return only the host and src fields from the search results.
... | fields host, src
2. Specify a list of fields to remove from the search results
Use the negative ( - ) symbol to specify which fields to remove from the search results. In this example, remove the host and ip fields from the results.
... | fields - host, ip
3. Remove all internal fields from the search results
Internal fields are returned by default. All internal fields begin with an underscore character, for example _time. Use a wild card character ( * ) after the underscore to specify all internal fields. This example keep only the host and ip fields, and remove all of the internal fields.
... | fields host, ip | fields - '_*'
4. Remove specific internal fields from the search results
Remove unwanted internal fields from the results. The fields to exclude are _raw, _indextime, _sourcetype, _subsecond, and _serial.
| from _internal where sourcetype="splunkd" | head 5 | fields - _raw, _indextime, _sourcetype, _subsecond, _serial
5. Store the results in a KV lookup dataset
Keep the host and ip fields. Remove all internal fields from the search results. Store the results in a KV lookup dataset.
...| fields host, ip | fields - '_*' | into myKVlookup
6. Use a wildcard to specify multiple fields that start with a similar name
Keep only the fields source, sourcetype, host, and all fields that begin with error. Because a wildcard is used, the field name must be enclosed in single quotation marks.
... | fields source, sourcetype, host, 'error*'
See also
|
PREVIOUS fields command usage |
NEXT fieldsummary command overview |
This documentation applies to the following versions of Splunk® Cloud Services: current
Feedback submitted, thanks!