Splunk® Cloud Services

SPL2 Search Reference

fields command overview

The SPL2 fields command specifies which fields to keep or remove from the search results.

By default, the internal fields _raw and _time are included in the output.

Syntax

The required syntax is in bold.

fields [+|-] <field-list>

How the SPL2 fields command works

Use the SPL2 fields command to which specify which fields to keep or remove from the search results. Consider the following set of results:

products quarter sales quota highest_region highest_seller
ProductA QTR1 1200 1000 EMEA Maria.Dubois@example.com
ProductB QTR1 1400 1550 EMEA David.Mayer@sample.net
ProductC QTR1 1650 1275 APAC Manish.Das@example.com
ProductA QTR2 1425 1300 NA stewart.mcintosh@sample.net
ProductB QTR2 1175 1425 EMEA masuda.bashir@example.com
ProductC QTR2 1550 1450 NA Claudia.Garcia@sample.net
ProductA QTR3 1300 1400 APAC Wei.Zhang@example.com
ProductB QTR3 1250 1125 EMEA Maria.Dubois@example.com
ProductC QTR3 1375 1475 LATAM eduardo.rodriguez@sample.net
ProductA QTR4 1550 1300 NA Vanya.Patel@example.com
ProductB QTR4 1700 1225 APAC na.lui@sample.net
ProductC QTR4 1625 1350 EMEA Alex.Martin@oursample.de

You decide to keep only the quarter and highest_seller fields in the results. You add the fields command to the search:

... | fields quarter, hightest_seller

The results appear like this:

quarter highest_seller
QTR1 Maria.Dubois@example.com
QTR1 David.Mayer@sample.net
QTR1 Manish.Das@example.com
QTR2 stewart.mcintosh@sample.net
QTR2 masuda.bashir@example.com
QTR2 Claudia.Garcia@sample.net
QTR3 Wei.Zhang@example.com
QTR3 Maria.Dubois@example.com
QTR3 eduardo.rodriguez@sample.net
QTR4 Vanya.Patel@example.com
QTR4 na.lui@sample.net
QTR4 Alex.Martin@oursample.de

Alternatively, you decide to remove the quota and highest_seller fields from the results. You add this fields command to the search:

... | fields - quota, hightest_seller

The results appear like this:


products quarter sales highest_region
ProductA QTR1 1200 EMEA
ProductB QTR1 1400 EMEA
ProductC QTR1 1650 APAC
ProductA QTR2 1425 NA
ProductB QTR2 1175 EMEA
ProductC QTR2 1550 NA
ProductA QTR3 1300 APAC
ProductB QTR3 1250 EMEA
ProductC QTR3 1375 LATAM
ProductA QTR4 1550 NA
ProductB QTR4 1700 APAC
ProductC QTR4 1625 EMEA

See also

fields command
fields command syntax details
fields command usage
fields command examples
Last modified on 31 January, 2024
expand command examples   fields command syntax details

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters