Splunk Search
Highlighted

Fields command in 4.1.2, build 79191 may have a bug?

Path Finder

The fields command in 4.1.2, build 79191 has a bug.

It includes all results from the _* fields even when specified with a "+" operator.

e.g.

fields + src_ip

will include the results from _* fields still

Tags (2)
0 Karma
Highlighted

Re: Fields command in 4.1.2, build 79191 may have a bug?

Legend

You may be misreading the documentation. Using the + option on fields does not remove hidden _* fields from the results (unless explicitly listed): http://www.splunk.com/base/Documentation/latest/SearchReference/Fields says:

The fields command does not remove internal fields unless explicitly specified

View solution in original post

Highlighted

Re: Fields command in 4.1.2, build 79191 may have a bug?

Path Finder

I'm confused, because the same documentation states that... (If + is specified, only the fields that match one of the fields in the list are kept.) And I've been successfully removing all _* fields by using (fields + field1,field2,field3) in previous versions till date.

0 Karma
Highlighted

Re: Fields command in 4.1.2, build 79191 may have a bug?

Path Finder

Wow, this question sure is being modded down alright! 😛 If someone would care to help clarify further about my comment to gkanapathy below...would appreciate it much!

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.