The fields command in 4.1.2, build 79191 has a bug.
It includes all results from the _* fields even when specified with a "+" operator.
e.g.
fields + src_ip
will include the results from _* fields still
You may be misreading the documentation. Using the +
option on fields does not remove hidden _*
fields from the results (unless explicitly listed): http://www.splunk.com/base/Documentation/latest/SearchReference/Fields says:
The fields command does not remove internal fields unless explicitly specified
Wow, this question sure is being modded down alright! 😛 If someone would care to help clarify further about my comment to gkanapathy below...would appreciate it much!
You may be misreading the documentation. Using the +
option on fields does not remove hidden _*
fields from the results (unless explicitly listed): http://www.splunk.com/base/Documentation/latest/SearchReference/Fields says:
The fields command does not remove internal fields unless explicitly specified
I'm confused, because the same documentation states that... (If + is specified, only the fields that match one of the fields in the list are kept.) And I've been successfully removing all _* fields by using (fields + field1,field2,field3) in previous versions till date.