Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Output only specific field values to CLI

jones4bob
Explorer
‎06-23-2010 04:59 PM

I'm trying to pull data from the CLI to pipe to awk to pipe to ... I can't seem to find the correct syntax to say, for example, just pull a single field from a record, rather than pulling everything in each event. Older examples seem to indicate that I can pipe the search to 'fields + field1 field2' but this still only produces the entire event information. What am I missing?

Tags (2)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-23-2010 08:59 PM

you can also use the table search command instead of fields.

Reply

swdonline
Path Finder
‎03-30-2012 12:23 PM

Interestingly, in 4.3.1, when I use this for the cli (which works fine in the GUI):
table a b c d e
I get these results:
a d e b c
Why would table return fields in a different order from the CLI?

0 Karma
Reply

jones4bob
Explorer
‎06-23-2010 05:52 PM

I think I've found what I was looking for.

The syntax for pulling specific fields appears to need to work like this: fields field1 field2 | fields - _*

It looks like that last pipe to fields is needed to remove the remainder of the fields from the search result. This worked for me and produced the desired output for awk to process.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...