topic Using wildcard in fields command not working as expected in Splunk Search

Using wildcard in fields command not working as expected

treywebb — Wed, 20 May 2015 13:59:41 GMT

For example the following search continues to include fields that start with user (such as userName, userId) etc.

index=blah | fields - user*

Has anyone else seen this or am I just doing this wrong?

Re: Using wildcard in fields command not working as expected

woodcock — Wed, 20 May 2015 14:04:54 GMT

I am skeptical of your claim. Just because the fields do not exist, does not mean that the data to which they used to point will be obliterated from your event (which is perhaps the mistaken assumption you are using to presume that the command isn't working). I will prove that the command works; try this:

index=blah | stats count by userName

This will surely give you data. Now try it after removing the fields like this:

index=blah | fields - user* | stats count by userName

This will surely yield no results.

Re: Using wildcard in fields command not working as expected

aweitzman — Wed, 20 May 2015 14:08:05 GMT

You will still see those fields in the raw data, Splunk doesn't change that. What does change are the fields it is keeping track of going forward.

For instance, your results for these two searches should be different:

index=blah | table *

and

index=blah | fields - user* | table *

Eliminating fields you don't need as you build your search string just means that Splunk internally doesn't keep them around anymore as it is generating your search results. Splunk never changes your raw data, only how it is interpreted.

Re: Using wildcard in fields command not working as expected

treywebb — Wed, 20 May 2015 15:19:27 GMT

This explains it perfectly. I was overlooking _raw in the events tab. doing as you show here works as expected. Thanks!