fields

The fields command is used to specifiy the fields that should be present in each event

Syntax

The fields command accepts a list of field names:

| fields foo bar baz

This command will remove all fields from an event except for foo, bar, and baz; if any of these fields are not present in the event, they will be added with a null value.

Example

Only retain the _raw and _time fields for all events:

| fields _raw _time

Crystalline

fields

Syntax

Example