Thanks! This case helped me understand that
-output rawdata
is based on the contents of the _raw field and that any field filtering is ignored.
For example:
splunk search 'index=anIndex some=criteria | fields + foo, bar' -output rawdata
gives all fields and is not limited to foo and bar, which is my goal.
Removing the special fields starting with underscore:
splunk search 'index=anIndex some=criteria | fields + foo, bar | fields - _*' -output rawdata
gives the error:
Error result had no _raw key
Ultimately I changed the query output to 'raw':
splunk search 'index=anIndex some=criteria | fields + foo, bar | fields - _*' -output raw
and now I get only the fields foo and bar in my results!
Unfortunately the output format of 'raw' is different from 'rawdata' and thus I need to adjust my down stream processing but that's the next step.
... View more