https://community.splunk.com/t5/Splunk-Search/how-to-filter-only-desired-fields-from-fetched-events/m-p/680913#M232708 <P>if the fileds has values like filed=0, field=1 etc.. how can i filter this filed which has values greater than 1</P> Sat, 16 Mar 2024 17:14:07 GMT Rajpranar 2024-03-16T17:14:07Z https://community.splunk.com/t5/Splunk-Search/how-to-filter-only-desired-fields-from-fetched-events/m-p/9306#M68 <P>In SQL-speak, "how to specify the columns in <CODE>SELECT</CODE> clause"? Normally, Splunk does the equivalent of <CODE>SELECT *</CODE>, which might not be wanted.</P> Mon, 18 Jan 2010 09:02:29 GMT https://community.splunk.com/t5/Splunk-Search/how-to-filter-only-desired-fields-from-fetched-events/m-p/9306#M68 V_at_Splunk 2010-01-18T09:02:29Z https://community.splunk.com/t5/Splunk-Search/how-to-filter-only-desired-fields-from-fetched-events/m-p/9307#M69 <P>Say you want only field <CODE>foo</CODE>.</P> <P>In 3.x, <CODE>... | FIELDS + foo</CODE></P> <P>In 4.x, <CODE>... | FIELDS foo | FIELDS - _*</CODE></P> Mon, 18 Jan 2010 09:10:58 GMT https://community.splunk.com/t5/Splunk-Search/how-to-filter-only-desired-fields-from-fetched-events/m-p/9307#M69 V_at_Splunk 2010-01-18T09:10:58Z https://community.splunk.com/t5/Splunk-Search/how-to-filter-only-desired-fields-from-fetched-events/m-p/9308#M70 <P>what does the _* in the 4.x string mean? Why the underscore?</P> Mon, 18 Jan 2010 14:50:35 GMT https://community.splunk.com/t5/Splunk-Search/how-to-filter-only-desired-fields-from-fetched-events/m-p/9308#M70 benstraw 2010-01-18T14:50:35Z https://community.splunk.com/t5/Splunk-Search/how-to-filter-only-desired-fields-from-fetched-events/m-p/9309#M71 <P>_* refers to the reserved (a.k.a. "internal") fields such as _time.</P> <P>So it seems to read "I want foo, <EM>and</EM> I don't want any internal fields".</P> <P>The explanation at <A href="http://www.splunk.com/base/Documentation/latest/SearchReference/Fields">http://www.splunk.com/base/Documentation/latest/SearchReference/Fields</A> might make more sense to you.</P> Tue, 19 Jan 2010 02:15:55 GMT https://community.splunk.com/t5/Splunk-Search/how-to-filter-only-desired-fields-from-fetched-events/m-p/9309#M71 V_at_Splunk 2010-01-19T02:15:55Z https://community.splunk.com/t5/Splunk-Search/how-to-filter-only-desired-fields-from-fetched-events/m-p/680913#M232708 <P>if the fileds has values like filed=0, field=1 etc.. how can i filter this filed which has values greater than 1</P> Sat, 16 Mar 2024 17:14:07 GMT https://community.splunk.com/t5/Splunk-Search/how-to-filter-only-desired-fields-from-fetched-events/m-p/680913#M232708 Rajpranar 2024-03-16T17:14:07Z https://community.splunk.com/t5/Splunk-Search/how-to-filter-only-desired-fields-from-fetched-events/m-p/680915#M232709 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/265990">@Rajpranar</a>,</P><P>This is a lovely thread, but it's 14 years old. Asking a new, unanswered question will help you get an answer more quickly.</P><P>You can use the greater than operator in field expressions:</P><P>field&gt;1</P><P>See&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Search/Fieldexpressions" target="_self">https://docs.splunk.com/Documentation/Splunk/latest/Search/Fieldexpressions</A>.</P><P>If you need to compare the value of two fields, use the where command:</P><P>| where field2&gt;field1</P> Sat, 16 Mar 2024 18:07:30 GMT https://community.splunk.com/t5/Splunk-Search/how-to-filter-only-desired-fields-from-fetched-events/m-p/680915#M232709 tscroggins 2024-03-16T18:07:30Z https://community.splunk.com/t5/Splunk-Search/how-to-filter-only-desired-fields-from-fetched-events/m-p/680918#M232710 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49493">@tscroggins</a>&nbsp;i did post a new question..</P><P>How to filter a field from the log where the values change for example please see below,</P><P>logfile =(result1=0 result2=5 result3=10 result4=14)&nbsp; at 5AM</P><P>logfile =(result1=8 result2=5 result3=10 result4=14) at 5:10Am</P><P>logfile =(result1=4 result2=5 result3=10 result4=14) at 5:20Am</P><P>logfile =(result1=3 result2=5 result3=10 result4=14) at 5:30Am</P><P>i want query to return result and show when result1 is greater than 5, please help</P><P>Current state im at =index=indexname | search sourcetype=eventname "result1=5" gives results but if i do<BR />index=indexname | search sourcetype=eventname "result1&gt; 4" returns nothing</P> Sat, 16 Mar 2024 19:03:25 GMT https://community.splunk.com/t5/Splunk-Search/how-to-filter-only-desired-fields-from-fetched-events/m-p/680918#M232710 Rajpranar 2024-03-16T19:03:25Z