In SQL-speak, "how to specify the columns in SELECT clause"? Normally, Splunk does the equivalent of SELECT *, which might not be wanted.
SELECT
SELECT *
Say you want only field foo.
foo
In 3.x, ... | FIELDS + foo
... | FIELDS + foo
In 4.x, ... | FIELDS foo | FIELDS - _*
... | FIELDS foo | FIELDS - _*
View solution in original post
_* refers to the reserved (a.k.a. "internal") fields such as _time.
So it seems to read "I want foo, and I don't want any internal fields".
The explanation at http://www.splunk.com/base/Documentation/latest/SearchReference/Fields might make more sense to you.
what does the _* in the 4.x string mean? Why the underscore?
