fields command: Overview, syntax, and usage
The SPL2 fields command specifies which fields to keep or remove from the search results. By default, the internal fields _raw and _time are included in the output.
Use these links to quickly navigate to the main sections in this topic:
How the SPL2 fields command works
Use the SPL2 fields command to which specify which fields to keep or remove from the search results. Consider the following set of results:
| products | quarter | sales | quota | highest_region | highest_seller |
|---|---|---|---|---|---|
| ProductA | QTR1 | 1200 | 1000 | EMEA | Maria.Dubois@example.com |
| ProductB | QTR1 | 1400 | 1550 | EMEA | David.Mayer@sample.net |
| ProductC | QTR1 | 1650 | 1275 | APAC | Manish.Das@example.com |
| ProductA | QTR2 | 1425 | 1300 | NA | stewart.mcintosh@sample.net |
| ProductB | QTR2 | 1175 | 1425 | EMEA | masuda.bashir@example.com |
| ProductC | QTR2 | 1550 | 1450 | NA | Claudia.Garcia@sample.net |
| ProductA | QTR3 | 1300 | 1400 | APAC | Wei.Zhang@example.com |
| ProductB | QTR3 | 1250 | 1125 | EMEA | Maria.Dubois@example.com |
| ProductC | QTR3 | 1375 | 1475 | LATAM | eduardo.rodriguez@sample.net |
| ProductA | QTR4 | 1550 | 1300 | NA | Vanya.Patel@example.com |
| ProductB | QTR4 | 1700 | 1225 | APAC | na.lui@sample.net |
| ProductC | QTR4 | 1625 | 1350 | EMEA | Alex.Martin@oursample.de |
You decide to keep only the quarter and highest_seller fields in the results. You add the fields command to the search:
... | fields quarter, hightest_sellerThe results appear like this:
| quarter | highest_seller |
|---|---|
| QTR1 | Maria.Dubois@example.com |
| QTR1 | David.Mayer@sample.net |
| QTR1 | Manish.Das@example.com |
| QTR2 | stewart.mcintosh@sample.net |
| QTR2 | masuda.bashir@example.com |
| QTR2 | Claudia.Garcia@sample.net |
| QTR3 | Wei.Zhang@example.com |
| QTR3 | Maria.Dubois@example.com |
| QTR3 | eduardo.rodriguez@sample.net |
| QTR4 | Vanya.Patel@example.com |
| QTR4 | na.lui@sample.net |
| QTR4 | Alex.Martin@oursample.de |
Alternatively, you decide to remove the quota and highest_seller fields from the results. You add this fields command to the search:
... | fields - quota, hightest_sellerThe results appear like this:
| products | quarter | sales | highest_region |
|---|---|---|---|
| ProductA | QTR1 | 1200 | EMEA |
| ProductB | QTR1 | 1400 | EMEA |
| ProductC | QTR1 | 1650 | APAC |
| ProductA | QTR2 | 1425 | NA |
| ProductB | QTR2 | 1175 | EMEA |
| ProductC | QTR2 | 1550 | NA |
| ProductA | QTR3 | 1300 | APAC |
| ProductB | QTR3 | 1250 | EMEA |
| ProductC | QTR3 | 1375 | LATAM |
| ProductA | QTR4 | 1550 | NA |
| ProductB | QTR4 | 1700 | APAC |
| ProductC | QTR4 | 1625 | EMEA |
Syntax
The required syntax is in bold.
fields [+|-] <field-list>
Required arguments
field-list
Syntax: <field>, <field>, ...
Description: Comma-delimited list of fields to keep or remove. You can use a wild card character in the field names, but must enclose those field names in single quotation marks. For example ... | fields host, 'server*'
Optional arguments
+ | -
Syntax: + | -
Description: If the plus ( + ) symbol is specified, only the fields in the field-list are kept in the results. If the negative ( - ) symbol is specified, the fields in the field-list are removed from the results. The symbol you specify applies to all of the fields in the field-list.
Default: +
_time. To remove all of the internal fields from the output use a second fields command, for example ... | fields host, status | fields - '_*'.
Usage
Internal fields
The leading underscore is reserved for names of internal fields such as _raw and _time. By default, the internal fields _raw and _time are included in the search results. The fields command does not remove these internal fields unless you explicitly specify that the fields should not appear in the output.
For example, to remove all internal fields, you specify:
... | fields - _*To exclude a specific field, such as _raw, you specify:
... | fields - _raw
_time field. Statistical commands, such as timechart, cannot display date or time information without the _time field.Differences between SPL and SPL2
List of fields must be comma-delimited
The list of fields must be comma-delimited. Otherwise a parsing error is returned. Because the include operator ( + ) is the default, it is not shown in these examples.
| Version | Example 1 |
|---|---|
| SPL | ... fields userId ip |
| SPL2 | ... fields userId, ip |
Command options must be specified first
Command options must be specified before command arguments. The exclude and include operators are command options.
| Version | Example 1 |
|---|---|
| SPL | ... fields - host src |
| SPL2 | ... fields - host, src |
Field names with special characters must be in single quotes
Field names that contain anything other than a-z, A-Z, 0-9, or underscore ( _ ), need to be enclosed in single quotation marks.
| Version | Example 1 |
|---|---|
| SPL | ... fields - "_*" host src |
| SPL2 | ... fields - '_*', host, src |
See also
fields command