topic Do anybody know about fields +? in Knowledge Management

Do anybody know about fields +?

pal_sumit1 — Thu, 02 Aug 2018 13:12:15 GMT

What is difference between fields + and fields -?

Re: Do anybody know about fields +?

skoelpin — Thu, 02 Aug 2018 13:28:50 GMT

When you use fields + you are sayiing you want to include the fields. If you're using fields - then your saying you want to exclude the fields.

Here's an example, say you have 10 columns, and only want to see sourcetype and host, then it would look like this

| fileds + host sourcetype

Now the reverse, if you had 10 fields and did not want to see host and sourcetype then it would look like this

| fields - host sourcetype

This is a streaming command so it's better to use that table

Re: Do anybody know about fields +?

DalJeanis — Thu, 02 Aug 2018 13:30:32 GMT

Here is the google search to find the manual page:

  site:splunk.com fields

Here is the page...

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fields

Here is your answer...

With the minus, and a space, will remove the fields that are listed.

| fields - ... list of field names you want to get rid of ...

Without the minus, or with a plus, will remove all fields that are NOT listed.

| fields - ... list of field names you want to keep ...

Special fields that start with an underscore are NOT removed unless you explicitly tell the fields command to remove them. Both of these will remove the field _raw, the second one will also remove the field _time.

| fields - _raw

| fields - _*

Re: Do anybody know about fields +?

pal_sumit1 — Fri, 03 Aug 2018 12:57:52 GMT

Which is the optimized way to display data (fields + or field -)?

Re: Do anybody know about fields +?

sudosplunk — Fri, 03 Aug 2018 13:32:09 GMT

fields aka fields +. Because, inclusion is always better than exclusion.

Example use case, let's say you have two fields ip and src_ip, and you're only interested in viewing results which have ip.
If you use fields - src_ip, splunk will pull all data from disk and then determine which data doesn't have fields src_ip.
If you user fields ip, splunk will only look for data which have ip instead of going after every event.

Please refer to below links if my explanation isn't clear.

http://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Quicktipsforoptimization
https://wiki.splunk.com/Community:Intro_to_Splunk_Search_Performance

Re: Do anybody know about fields +?

DalJeanis — Fri, 03 Aug 2018 13:53:34 GMT

This is not about "displaying data", this is about telling the search what data to retain or eliminate.

@nittala_surya is correct that |fields is what you will use in most cases, the first time you use the command. This is because the first time you use it, you are usually listing exactly the data that your search needs. After that, you will often use the command to get rid of fields that you have already used and no longer need.

For efficiency sake, you want to limit data in this order -

First, the index, source and sourcetype you need.
Second, the _time range you need
Third, select only the fields you need
Fourth, any specific filters about the records you want
Fifth, make sure to do all calculation, lookups and useful streaming commands before any transforming commands that might cause the search to bring data to the search head.

Sixth - and this is an exception to the above - if you are going to summarize data on a field, and there is a lookup that only requires that field, but is not needed before the summarization, then do that lookup after the summarization, not before.