Splunk® Cloud Services

SPL2 Search Reference

fields command syntax details

Syntax

The required syntax is in bold.

fields [+|-] <field-list>

Required arguments

field-list
Syntax: <field>, <field>, ...
Description: Comma-delimited list of fields to keep or remove. You can use a wild card character in the field names, but must enclose those field names in single quotation marks. For example ... | fields host, 'server*'

Optional arguments

+ | -
Syntax: + | -
Description: If the plus ( + ) symbol is specified, only the fields in the field-list are kept in the results. If the negative ( - ) symbol is specified, the fields in the field-list are removed from the results. The symbol you specify applies to all of the fields in the field-list.
Default: +

All internal fields are returned by default, even if you specify a . Internal fields begin with an underscore character, such as _time. To remove all of the internal fields from the output use a second fields command, for example ... | fields host, status | fields - '_*'.

See also

fields command
fields command overview
fields command usage
fields command examples
Last modified on 05 March, 2024
fields command overview   fields command usage

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters