" --your search that filters down to only the event types you want-- | fields + _raw | spath input=_raw | table *"
In my experience you have to filter out the event types you don't want right from the beginning. Otherwise, when you do table *, you will get any and all fields that showed up at any point in your piped search.
The key is to filter down to the specific event type as early as possible in your search pipes; and before you do any spath or field extractions.
For example, if I have a bunch of JSON events, and in order to filter them I have to do "* | spath input=myjsonfield | search Data.eventtype = 33 | table *" in order to show only events of eventtype=33, then that "table *" command will return all fields for all eventtypes. I think that's what is happening in the OP's case.
Note, if your sourcetype has a kv_mode=json in the props.conf, it will always return all the fields if you pipe to "table *".
... View more