Splunk Cloud

Search Reference

Download manual as PDF

Download topic as PDF



Sets the field values for all results to a common value.

Sets the value of the given fields to the specified values for each event in the result set. Delimit multiple definitions with commas. Missing fields are added, present fields are overwritten.

Whenever you need to change or define field values, you can use the more general purpose eval command. See usage of an eval expression to set the value of a field in Example 1.


setfields <setfields-arg>, ...

Required arguments

Syntax: string="<string>", ...
Description: A key-value pair, with the value quoted. If you specify multiple key-value pairs, separate each pair with a comma. Standard key cleaning is performed. This means all non-alphanumeric characters are replaced with '_' and leading '_' are removed.


Example 1:

Specify a value for the ip and foo fields.

... | setfields ip="", foo="foo bar"

To do this with the eval command:

... | eval ip="" | eval foo="foo bar"

See also

eval, fillnull, rename

Last modified on 22 July, 2020

This documentation applies to the following versions of Splunk Cloud: 7.0.11, 7.0.13, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2001, 8.0.2003, 8.0.2004, 8.0.2006, 8.0.2007, 8.1.2008

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters