fields command usage
The leading underscore is reserved for names of internal fields such as
_time. By default, the internal fields
_time are included in the search results. The
fields command does not remove these internal fields unless you explicitly specify that the fields should not appear in the output.
For example, to remove all internal fields, you specify:
... | fields - _*
To exclude a specific field, such as
_raw, you specify:
... | fields - _raw
Be cautious removing the
_time field. Statistical commands, such as
timechart, cannot display date or time information without the
Differences between SPL and SPL2
List of fields must be comma-delimited
The list of fields must be comma-delimited. Otherwise a parsing error is returned. Because the include operator ( + ) is the default, it is not shown in these examples.
|SPL||... fields userId ip|
|SPL2||... fields userId, ip|
Command options must be specified first
Command options must be specified before command arguments. The exclude and include operators are command options.
|SPL||... fields - host src|
|SPL2||... fields - host, src|
Field names with special character must be in single quotes
Field names that contain anything other than a-z, A-Z, 0-9, or underscore ( _ ), need to be enclosed in single quotation marks.
|SPL||... fields - "_*" host src|
|SPL2||... fields - '_*', host, src|
fields command syntax details
fields command examples
This documentation applies to the following versions of Splunk® Cloud Services: current