Re: Output only specific field values to CLI

jones4bob · ‎06-23-2010

I'm trying to pull data from the CLI to pipe to awk to pipe to ... I can't seem to find the correct syntax to say, for example, just pull a single field from a record, rather than pulling everything in each event. Older examples seem to indicate that I can pipe the search to 'fields + field1 field2' but this still only produces the entire event information. What am I missing?

gkanapathy · ‎06-23-2010

you can also use the table search command instead of fields.

swdonline · ‎03-30-2012

Interestingly, in 4.3.1, when I use this for the cli (which works fine in the GUI):
table a b c d e
I get these results:
a d e b c
Why would table return fields in a different order from the CLI?

jones4bob · ‎06-23-2010

I think I've found what I was looking for.

The syntax for pulling specific fields appears to need to work like this: fields field1 field2 | fields - _*

It looks like that last pipe to fields is needed to remove the remainder of the fields from the search result. This worked for me and produced the desired output for awk to process.

Output only specific field values to CLI

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation