This search command retains (+) or removes (-) fields from search results based on the field list specified.
This command uses the following conventions:
This topic contains the following information:
For a list of all search commands, see Search commands.
fields [+] <Field-List>
fields [-] <Field-List>
In the preceding syntax, the following definitions apply:
<Field-List>
refers to a comma-separated list of fields.Example 1: Remove the fields destHost and ip from the search results.
... | fields - destHost, ip
Example 2: Remove the fields username, protocol, rfc931, and RequestURL from the search results.
... | fields - username, protocol, rfc931, RequestURL
Example 3: Retain the field RequestType and ResponseCode in the search results.
... | fields RequestType, ResponseCode
The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the fields
command.
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |RequestType=POST|RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=200|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |RequestType=PUT|RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=150|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png |
In this example, you use the command to remove the fields username, protocol, rfc931, and RequestURL from the search results.
... | fields - username, protocol, rfc931, RequestURL
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png HOST=local.bmc.com |COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |DATA_PATTERN=MyAccess |ResponseSize=100 |RequestType=POST |COLLECTOR=test_http_access.log |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png HOST=local.bmc.com |COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |DATA_PATTERN=MyAccess |ResponseSize=200 |RequestType=PUT |COLLECTOR=test_http_access.log |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |DATA_PATTERN=MyAccess |ResponseSize=150 |RequestType=GET |COLLECTOR=test_http_access.log |
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |DATA_PATTERN=MyAccess |ResponseSize=100 |RequestType=GET |COLLECTOR=test_http_access.log |
In this example, you use the command to retain the fields RequestType and ResponseCode and remove all other fields.
... | fields RequestType, ResponseCode
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=200 |DATA_PATTERN=MyAccess |RequestType=POST |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=201 |DATA_PATTERN=MyAccess |RequestType=PUT |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=201 |DATA_PATTERN=MyAccess |RequestType=GET |
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=404 |DATA_PATTERN=MyAccess |RequestType=GET |