Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

fields

The fields command is used to select or remove fields from events. It can either keep only the specified fields, or remove them (inverted mode).

Syntax

The fields command accepts a list of field names or glob patterns. By default, only the specified fields are retained in each event:

| fields <field> [<field> ...]

To remove fields instead of keeping them, prefix field names with a hyphen (-):

| fields - <field> [<field> ...]

Field names can be:

  • Exact field names - foo, _raw, message
  • Glob patterns - use * as a wildcard:
    • prefix* - matches fields starting with “prefix”
    • *suffix - matches fields ending with “suffix”

Behavior

  • If a specified field does not exist in an event, it is added with a null (empty) value
  • The order of fields in the output matches the order they appear in the command
  • Glob patterns are evaluated against all remaining fields in the event

Examples

Only retain the _raw and _time fields:

| fields _raw _time

Combine exact field names with glob patterns - keeps bar, plus any fields starting with foo:

| fields bar foo*

Remove all fields starting with temp (prefix wildcard):

| fields - temp*

Remove all fields ending with _tmp (suffix wildcard):

| fields - *_tmp

When combining exact fields and globs, exact field names take precedence over glob patterns if there’s overlap. For example, fields foo foo* will keep foo and foo_extra, but foo will appear first since it was specified explicitly.