Description
Keeps or removes fields from search results based on the field list criteria.
By default, the internal fields _raw and _time are included in output in Splunk Web. Additional internal fields are included in the output with the outputcsv command. See Usage.
Syntax
fields [+|-] <wc-field-list>
Required arguments
- <wc-field-list>
- Syntax: <field>, <field>, ...
- Description: Comma-delimited list of fields to keep or remove. You can use the asterisk ( * ) as a wildcard to specify a list of fields with similar names. For example, if you want to specify all fields that start with "value", you can use a wildcard such as
value*.
Optional arguments
- + | -
- Syntax: + | -
- Description: If the plus ( + ) symbol is specified, only the fields in the
wc-field-listare kept in the results. If the negative ( - ) symbol is specified, the fields in thewc-field-listare removed from the results. - Default: +
Usage
The fields command is a distributable streaming command. See Command types.
Internal fields and Splunk Web
The leading underscore is reserved for names of internal fields such as _raw and _time. By default, the internal fields _raw and _time are included in the search results in Splunk Web. The fields command does not remove these internal fields unless you explicitly specify that the fields should not appear in the output in Splunk Web.
For example, to remove all internal fields, you specify:
... | fields - _*
To exclude a specific field, such as _raw, you specify:
... | fields - _raw
Be cautious removing the _time field. Statistical commands, such as timechart and chart, cannot display date or time information without the _time field.
Displaying internal fields in Splunk Web
Other than the _raw and _time fields, internal fields do not display in Splunk Web, even if you explicitly specify the fields in the search. For example, the following search does not show the _bkt field in the results.
index=_internal | head 5 | fields + _bkt | table _bkt
To display an internal field in the results, the field must be copied or renamed to a field name that does not include the leading underscore character. For example:
index=_internal | head 5 | fields + _bkt | eval bkt=_bkt | table bkt
Internal fields and the outputcsv command
When the outputcsv command is used in the search, there are additional internal fields that are automatically added to the CSV file. The most common internal fields that are added are:
- _raw
- _time
- _indextime
To exclude internal fields from the output, specify each field that you want to exclude. For example:
... | fields - _raw _indextime _sourcetype _serial | outputcsv MyTestCsvFile
You cannot match wildcard characters in searches that use the fields command
You can use the asterisk (*) in your searches as a wildcard character, but you can't use a backslash (\) to escape an asterisk in search strings. A backslash\ and an asterisk * match the characters \* in searches, not an escaped wildcard * character. Because Splunk platform doesn't support escaping wildcards, asterisk (*) characters in field names can't be matched in searches that keep or remove fields from search results.
Support for backslash characters (\) in the fields command
To match a backslash character (\) in a field name when using the fields command, use 2 backslashes for each backslash. For example, to display fields that contain http:\\, use the following command in your search:
... | fields http:\\\\*
See Backslashes in the Search Manual.
Examples
Example 1:
Remove the host and ip fields from the results
... | fields - host, ip
Example 2:
Keep only the host and ip fields. Remove all of the internal fields. The internal fields begin with an underscore character, for example _time.
... | fields host, ip | fields - _*
Example 3:
Remove unwanted internal fields from the output CSV file. The fields to exclude are _raw_indextime, _sourcetype, _subsecond, and _serial.
index=_internal sourcetype="splunkd" | head 5 | fields - _raw, _indextime, _sourcetype, _subsecond, _serial | outputcsv MyTestCsvfile
Example 4:
Keep only the fields source, sourcetype, host, and all fields beginning with error.
... | fields source, sourcetype, host, error*
See also
rename,table
Last modified on 06 October, 2023
| fieldformat | fieldsummary |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.10, 8.1.0, 7.2.3, 8.0.8, 7.0.1, 8.0.7, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 8.0.9, 8.1.1, 8.1.10
