fields command: Examples
The following are examples for using the SPL2 fields command.
To learn more about the fields command, see How the SPL2 fields command works.
1. Specify a list of fields to include in the search results
Return only the host and src fields from the search results.
... | fields host, src
2. Specify a list of fields to remove from the search results
Use the negative ( - ) symbol to specify which fields to remove from the search results. In this example, remove the host and ip fields from the results.
... | fields - host, ip
3. Remove all internal fields from the search results
Internal fields are returned by default. All internal fields begin with an underscore character, for example _time. Use a wild card character ( * ) after the underscore to specify all internal fields. This example keep only the host and ip fields, and remove all of the internal fields.
... | fields host, ip | fields - '_*'
4. Remove specific internal fields from the search results
Remove unwanted internal fields from the results. The fields to exclude are _raw, _indextime, _sourcetype, _subsecond, and _serial.
| from _internal where sourcetype="splunkd" | head 5 | fields - _raw, _indextime, _sourcetype, _subsecond, _serial
5. Store the results in a KV lookup dataset
Keep the host and ip fields. Remove all internal fields from the search results. Store the results in a KV lookup dataset.
...| fields host, ip | fields - '_*' | into myKVlookup
6. Use a wildcard to specify multiple fields that start with a similar name
Keep only the fields source, sourcetype, host, and all fields that begin with error. Because a wildcard is used, the field name must be enclosed in single quotation marks.
... | fields source, sourcetype, host, 'error*'7. Pipeline examples
The following examples show how to use the fields command remove fields in from a pipeline.
Dropping fields in a pipeline
This example extracts the log message number in the _raw field. The numbers are copied into a field named msg_num. The fields command is used to drop the _raw field and then the data is sent to an existing index named cisco_msg_num.
$pipeline = | from $source
| rex field=_raw /(?P<msg_num>(%ASA|%FTD)-\d+-\d+)/
| fields - _raw
| eval index="cisco_msg_num"
| into $destination
Filter data in a pipeline based on extracted fields
Suppose you want to filter data in Linux audit logs so that only audit logs that indicate failed login attempts remain. You must first extract the record types and result values from the logs with the rex command. Then filter extracted fields using the where command. Use the fields command to drop the RecordType and Result fields from the events before the data is sent to the destination.
$pipeline = | from $source ← Add this example
| rex field=_raw /type=(?P<RecordType>[A-Z_]+).*res=(?P<Result>\w+)/
| where RecordType = "USER_LOGIN"
| where Result = "failed"
| fields - RecordType, Result
| into $destination
See also
fields command
pipelines
Edge Processor pipeline syntax in the Use Edge Processors manual
Ingest Processor pipeline syntax in the Use Ingest Processors manual