Fields: Splunk Commands Tutorials & Reference
Commands Category: Filtering
Commands: fields
Use: Keeps or removes fields from search results based on the field list criteria. Useful to limit field displayed and can make search faster
Remove the host and ip fields from the results
... | fields - host, ip
Keep only the host and ip fields. Remove all of the internal fields. The internal fields begin with an underscore character, for example _time.
... | fields host, ip | fields - _*
Remove unwanted internal fields from the output CSV file. The fields to exclude are _raw_indextime, _sourcetype, _subsecond, and _serial.
index=_internal sourcetype="splunkd" | head 5 | fields - _raw _indextime _sourcetype _subsecond _serial | outputcsv MyTestCsvfile
Keep only the fields source, sourcetype, host, and all fields beginning with error.
... | fields source, sourcetype, host, error*
Example for sample data(tutorialdata) to exclude a field
index=web sourcetype=access_combines | field - status clientip
 |
| Avail Rajesh Kumar as trainer at 50% Discount |
| Puppet Online Training |
| Puppet Classroom TrainingEnroll Now |
|
