fields command overview, syntax, and usage
The SPL2 fields command specifies which fields to keep or remove from the search results.
By default, the internal fields _raw and _time are included in the output.
How the SPL2 fields command works
Use the SPL2 fields command to which specify which fields to keep or remove from the search results. Consider the following set of results:
| products | quarter | sales | quota | highest_region | highest_seller |
|---|---|---|---|---|---|
| ProductA | QTR1 | 1200 | 1000 | EMEA | Maria.Dubois@example.com |
| ProductB | QTR1 | 1400 | 1550 | EMEA | David.Mayer@sample.net |
| ProductC | QTR1 | 1650 | 1275 | APAC | Manish.Das@example.com |
| ProductA | QTR2 | 1425 | 1300 | NA | stewart.mcintosh@sample.net |
| ProductB | QTR2 | 1175 | 1425 | EMEA | masuda.bashir@example.com |
| ProductC | QTR2 | 1550 | 1450 | NA | Claudia.Garcia@sample.net |
| ProductA | QTR3 | 1300 | 1400 | APAC | Wei.Zhang@example.com |
| ProductB | QTR3 | 1250 | 1125 | EMEA | Maria.Dubois@example.com |
| ProductC | QTR3 | 1375 | 1475 | LATAM | eduardo.rodriguez@sample.net |
| ProductA | QTR4 | 1550 | 1300 | NA | Vanya.Patel@example.com |
| ProductB | QTR4 | 1700 | 1225 | APAC | na.lui@sample.net |
| ProductC | QTR4 | 1625 | 1350 | EMEA | Alex.Martin@oursample.de |
You decide to keep only the quarter and highest_seller fields in the results. You add the fields command to the search:
... | fields quarter, hightest_seller
The results appear like this:
| quarter | highest_seller |
|---|---|
| QTR1 | Maria.Dubois@example.com |
| QTR1 | David.Mayer@sample.net |
| QTR1 | Manish.Das@example.com |
| QTR2 | stewart.mcintosh@sample.net |
| QTR2 | masuda.bashir@example.com |
| QTR2 | Claudia.Garcia@sample.net |
| QTR3 | Wei.Zhang@example.com |
| QTR3 | Maria.Dubois@example.com |
| QTR3 | eduardo.rodriguez@sample.net |
| QTR4 | Vanya.Patel@example.com |
| QTR4 | na.lui@sample.net |
| QTR4 | Alex.Martin@oursample.de |
Alternatively, you decide to remove the quota and highest_seller fields from the results. You add this fields command to the search:
... | fields - quota, hightest_seller
The results appear like this:
| products | quarter | sales | highest_region |
|---|---|---|---|
| ProductA | QTR1 | 1200 | EMEA |
| ProductB | QTR1 | 1400 | EMEA |
| ProductC | QTR1 | 1650 | APAC |
| ProductA | QTR2 | 1425 | NA |
| ProductB | QTR2 | 1175 | EMEA |
| ProductC | QTR2 | 1550 | NA |
| ProductA | QTR3 | 1300 | APAC |
| ProductB | QTR3 | 1250 | EMEA |
| ProductC | QTR3 | 1375 | LATAM |
| ProductA | QTR4 | 1550 | NA |
| ProductB | QTR4 | 1700 | APAC |
| ProductC | QTR4 | 1625 | EMEA |
Syntax
The required syntax is in bold.
- fields [+|-] <field-list>
Required arguments
- field-list
- Syntax: <field>, <field>, ...
- Description: Comma-delimited list of fields to keep or remove. You can use a wild card character in the field names, but must enclose those field names in single quotation marks. For example
... | fields host, 'server*'
Optional arguments
- + | -
- Syntax: + | -
- Description: If the plus ( + ) symbol is specified, only the fields in the
field-listare kept in the results. If the negative ( - ) symbol is specified, the fields in thefield-listare removed from the results. The symbol you specify applies to all of the fields in thefield-list. - Default: +
All internal fields are returned by default, even if you specify a _time. To remove all of the internal fields from the output use a second fields command, for example ... | fields host, status | fields - '_*'.
Usage
Internal fields
The leading underscore is reserved for names of internal fields such as _raw and _time. By default, the internal fields _raw and _time are included in the search results. The fields command does not remove these internal fields unless you explicitly specify that the fields should not appear in the output.
For example, to remove all internal fields, you specify:
... | fields - _*
To exclude a specific field, such as _raw, you specify:
... | fields - _raw
Be cautious removing the _time field. Statistical commands, such as timechart, cannot display date or time information without the _time field.
Differences between SPL and SPL2
List of fields must be comma-delimited
The list of fields must be comma-delimited. Otherwise a parsing error is returned. Because the include operator ( + ) is the default, it is not shown in these examples.
| Version | Example 1 |
|---|---|
| SPL | ... fields userId ip |
| SPL2 | ... fields userId, ip |
Command options must be specified first
Command options must be specified before command arguments. The exclude and include operators are command options.
| Version | Example 1 |
|---|---|
| SPL | ... fields - host src |
| SPL2 | ... fields - host, src |
Field names with special characters must be in single quotes
Field names that contain anything other than a-z, A-Z, 0-9, or underscore ( _ ), need to be enclosed in single quotation marks.
| Version | Example 1 |
|---|---|
| SPL | ... fields - "_*" host src |
| SPL2 | ... fields - '_*', host, src |
See also
- fields command
- fields command examples
| expand command examples | fields command examples |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!