Re: How to get indexed fields filtered by the fiel...

akazarov · ‎05-25-2016

Hello,

When indexing data, I extract some selected fields. Thus, these fields are not part of 'EXTRACT-fields' line in props.conf, as it is suggested by documentation. Fields are indexed fine and I can search using the fields names. However, what does not work is extracting some of these fields from the search using the | fields command, like:

index=.. <search criteria> | fields gh

I do see these fields in Splunk Web, and for example | table gh works with the fields, but not the | fields which produces no results.
Puzzled. Is there a special syntax to refer to indexed fields in the fields filter?

Thanks
Andrei

woodcock · ‎05-25-2016

If things are exactly as you say then there is a bug and you should open a case on this. In the meantime, try this as a work around:

... | table * _* | fields gh

When I have seen this bug before (v4.?) I could pass through table first to make it work.

How to get indexed fields filtered by the fields command?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation