Splunk® Cloud Services

SPL2 Search Reference

fields command usage

Internal fields

The leading underscore is reserved for names of internal fields such as _raw and _time. By default, the internal fields _raw and _time are included in the search results. The fields command does not remove these internal fields unless you explicitly specify that the fields should not appear in the output.

For example, to remove all internal fields, you specify:

... | fields - _*

To exclude a specific field, such as _raw, you specify:

... | fields - _raw

Be cautious removing the _time field. Statistical commands, such as timechart, cannot display date or time information without the _time field.

Differences between SPL and SPL2

List of fields must be comma-delimited

The list of fields must be comma-delimited. Otherwise a parsing error is returned. Because the include operator ( + ) is the default, it is not shown in these examples.

Version Example 1
SPL ... fields userId ip
SPL2 ... fields userId, ip

Command options must be specified first

Command options must be specified before command arguments. The exclude and include operators are command options.

Version Example 1
SPL ... fields - host src
SPL2 ... fields - host, src

Field names with special character must be in single quotes

Field names that contain anything other than a-z, A-Z, 0-9, or underscore ( _ ), need to be enclosed in single quotation marks.

Version Example 1
SPL ... fields - "_*" host src
SPL2 ... fields - '_*', host, src

See also

fields command
fields command overview
fields command examples
Last modified on 29 April, 2020
fields command syntax details   fields command examples

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters