fields
The fields command specifies the fields that should be included in or excluded from the search results.
Syntax
The fields command has the following syntax:
fields [+|-] <field-list>
Parameters
The fields command supports the following parameters.
| Parameter | Required/Optional | Description |
|---|---|---|
<field-list> | Required | A comma-delimited or space-delimited list of fields to keep or remove. Supports wildcard patterns. |
[+|-] | Optional | If the plus sign (+) is used, only the fields specified in the field-list are included. If the minus sign (-) is used, all fields specified in the field-list are excluded. Default is +. |
Example 1: Select specified fields from the search result
The following query shows how to retrieve the account_number, firstname, and lastname fields from the search results:
source=accounts
| fields account_number, firstname, lastname
The query returns the following results:
| account_number | firstname | lastname |
|---|---|---|
| 1 | Amber | Duke |
| 6 | Hattie | Bond |
| 13 | Nanette | Bates |
| 18 | Dale | Adams |
Example 2: Remove specified fields from the search results
The following query shows how to remove the account_number field from the search results:
source=accounts
| fields account_number, firstname, lastname
| fields - account_number
The query returns the following results:
| firstname | lastname |
|---|---|
| Amber | Duke |
| Hattie | Bond |
| Nanette | Bates |
| Dale | Adams |
Example 3: Space-delimited field selection
Fields can be specified using spaces instead of commas, providing a more concise syntax:
source=accounts
| fields firstname lastname age
The query returns the following results:
| firstname | lastname | age |
|---|---|---|
| Amber | Duke | 32 |
| Hattie | Bond | 36 |
| Nanette | Bates | 28 |
| Dale | Adams | 33 |
Example 4: Prefix wildcard pattern
The following query selects fields starting with a pattern using prefix wildcards:
source=accounts
| fields account*
The query returns the following results:
| account_number |
|---|
| 1 |
| 6 |
| 13 |
| 18 |
Example 5: Suffix wildcard pattern
The following query selects fields ending with a pattern using suffix wildcards:
source=accounts
| fields *name
The query returns the following results:
| firstname | lastname |
|---|---|
| Amber | Duke |
| Hattie | Bond |
| Nanette | Bates |
| Dale | Adams |
Example 6: Wildcard pattern matching
The following query selects fields containing a pattern using contains wildcards:
source=accounts
| fields *a*
| head 1
The query returns the following results:
| account_number | firstname | address | balance | state | age | lastname | |
|---|---|---|---|---|---|---|---|
| 1 | Amber | 880 Holmes Lane | 39225 | IL | 32 | amberduke@pyrami.com | Duke |
Example 7: Mixed delimiter syntax
The following query combines spaces and commas for flexible field specification:
source=accounts
| fields firstname, account* *name
The query returns the following results:
| firstname | account_number | lastname |
|---|---|---|
| Amber | 1 | Duke |
| Hattie | 6 | Bond |
| Nanette | 13 | Bates |
| Dale | 18 | Adams |
Example 8: Field deduplication
The following query automatically prevents duplicate columns when wildcards expand to already specified fields:
source=accounts
| fields firstname, *name
The query returns the following results. Even though firstname is explicitly specified and also matches *name, it appears only once because of automatic deduplication:
| firstname | lastname |
|---|---|
| Amber | Duke |
| Hattie | Bond |
| Nanette | Bates |
| Dale | Adams |
Example 9: Full wildcard selection
The following query selects all available fields using * or `*`. This expression selects all fields defined in the index schema, including fields that may contain null values. The * wildcard selects fields based on the index schema, not on the data content, so fields with null values are included in the result set. Use backticks (`*`) if the plain * does not return all expected fields:
source=accounts
| fields `*`
| head 1
The query returns the following results:
| account_number | firstname | address | balance | gender | city | employer | state | age | lastname | |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Amber | 880 Holmes Lane | 39225 | M | Brogan | Pyrami | IL | 32 | amberduke@pyrami.com | Duke |
Example 10: Wildcard exclusion
The following query removes fields using wildcard patterns containing the minus (-) operator:
source=accounts
| fields - *name
The query returns the following results:
| account_number | address | balance | gender | city | employer | state | age | |
|---|---|---|---|---|---|---|---|---|
| 1 | 880 Holmes Lane | 39225 | M | Brogan | Pyrami | IL | 32 | amberduke@pyrami.com |
| 6 | 671 Bristol Street | 5686 | M | Dante | Netagy | TN | 36 | hattiebond@netagy.com |
| 13 | 789 Madison Street | 32838 | F | Nogal | Quility | VA | 28 | null |
| 18 | 467 Hutchinson Court | 4180 | M | Orick | null | MD | 33 | daleadams@boink.com |
Related documentation
table– An alias command with identical functionality