Splunk Search
Highlighted

Fields command in 4.1.2, build 79191 may have a bug?

Path Finder

The fields command in 4.1.2, build 79191 has a bug.

It includes all results from the _* fields even when specified with a "+" operator.

e.g.

fields + src_ip

will include the results from _* fields still

Tags (2)
0 Karma
Highlighted

Re: Fields command in 4.1.2, build 79191 may have a bug?

Splunk Employee
Splunk Employee

You may be misreading the documentation. Using the + option on fields does not remove hidden _* fields from the results (unless explicitly listed): http://www.splunk.com/base/Documentation/latest/SearchReference/Fields says:

The fields command does not remove internal fields unless explicitly specified

View solution in original post

Highlighted

Re: Fields command in 4.1.2, build 79191 may have a bug?

Path Finder

I'm confused, because the same documentation states that... (If + is specified, only the fields that match one of the fields in the list are kept.) And I've been successfully removing all _* fields by using (fields + field1,field2,field3) in previous versions till date.

0 Karma
Highlighted

Re: Fields command in 4.1.2, build 79191 may have a bug?

Path Finder

Wow, this question sure is being modded down alright! 😛 If someone would care to help clarify further about my comment to gkanapathy below...would appreciate it much!

0 Karma