Knowledge Management

Do anybody know about fields +?

pal_sumit1
Path Finder

What is difference between fields + and fields -?

Tags (1)
0 Karma
1 Solution

DalJeanis
Legend

Here is the google search to find the manual page:

  site:splunk.com fields 

Here is the page...

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fields

Here is your answer...

With the minus, and a space, will remove the fields that are listed.

| fields - ... list of field names you want to get rid of ...

Without the minus, or with a plus, will remove all fields that are NOT listed.

| fields - ... list of field names you want to keep ...

Special fields that start with an underscore are NOT removed unless you explicitly tell the fields command to remove them. Both of these will remove the field _raw, the second one will also remove the field _time.

| fields - _raw

| fields - _*

View solution in original post

DalJeanis
Legend

Here is the google search to find the manual page:

  site:splunk.com fields 

Here is the page...

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fields

Here is your answer...

With the minus, and a space, will remove the fields that are listed.

| fields - ... list of field names you want to get rid of ...

Without the minus, or with a plus, will remove all fields that are NOT listed.

| fields - ... list of field names you want to keep ...

Special fields that start with an underscore are NOT removed unless you explicitly tell the fields command to remove them. Both of these will remove the field _raw, the second one will also remove the field _time.

| fields - _raw

| fields - _*

pal_sumit1
Path Finder

Which is the optimized way to display data (fields + or field -)?

0 Karma

DalJeanis
Legend

This is not about "displaying data", this is about telling the search what data to retain or eliminate.

@nittala_surya is correct that |fields is what you will use in most cases, the first time you use the command. This is because the first time you use it, you are usually listing exactly the data that your search needs. After that, you will often use the command to get rid of fields that you have already used and no longer need.

For efficiency sake, you want to limit data in this order -

First, the index, source and sourcetype you need.
Second, the _time range you need
Third, select only the fields you need
Fourth, any specific filters about the records you want
Fifth, make sure to do all calculation, lookups and useful streaming commands before any transforming commands that might cause the search to bring data to the search head.

Sixth - and this is an exception to the above - if you are going to summarize data on a field, and there is a lookup that only requires that field, but is not needed before the summarization, then do that lookup after the summarization, not before.

0 Karma

sudosplunk
Motivator

fields aka fields +. Because, inclusion is always better than exclusion.

Example use case, let's say you have two fields ip and src_ip, and you're only interested in viewing results which have ip.
If you use fields - src_ip, splunk will pull all data from disk and then determine which data doesn't have fields src_ip.
If you user fields ip, splunk will only look for data which have ip instead of going after every event.

Please refer to below links if my explanation isn't clear.

http://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Quicktipsforoptimization
https://wiki.splunk.com/Community:Intro_to_Splunk_Search_Performance

0 Karma

skoelpin
SplunkTrust
SplunkTrust

When you use fields + you are sayiing you want to include the fields. If you're using fields - then your saying you want to exclude the fields.

Here's an example, say you have 10 columns, and only want to see sourcetype and host, then it would look like this

| fileds + host sourcetype

Now the reverse, if you had 10 fields and did not want to see host and sourcetype then it would look like this

| fields - host sourcetype

This is a streaming command so it's better to use that table

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...