• Spaces
  • Help
    • ×
     
     
    •  
    BMC TrueSight IT Data Analytics 1.0

    Page tree

    This search command retains (+) or removes (-) fields from search results based on the field list specified.

    This command uses the following conventions:

    • If you specify a plus sign (+), fields that match one of the fields specified in the command are retained.
    • If you specify a minus sign (-), fields that match one of the fields specified in the command are removed.
    • If you do not specify a plus (+) or a minus sign (-), the command assumes a plus sign (+).

    This topic contains the following information:

    For a list of all search commands, see Search commands.

    Syntax

    fields [+] <Field-List>
    fields [-] <Field-List>

    In the preceding syntax, the following definitions apply:

    • [expression] indicates it is optional.
    • <Field-List> refers to a comma-separated list of fields.

    Short examples

    Example 1: Remove the fields destHost and ip from the search results.

    ... | fields - destHost, ip

    Example 2: Remove the fields username, protocol, rfc931, and RequestURL from the search results.

    ... | fields - username, protocol, rfc931, RequestURL

    Example 3: Retain the field RequestType and ResponseCode in the search results.

    ... | fields RequestType, ResponseCode

    Long examples

    The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the fields command.

    Sample data

    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100

    Back to examples ↑

    Sample indexed data

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |RequestType=POST|RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    HOST=local.bmc.com |ResponseSize=200|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |RequestType=PUT|RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    HOST=local.bmc.com |ResponseSize=150|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png

    Back to examples ↑

    Remove particular fields

    In this example, you use the command to remove the fields username, protocol, rfc931, and RequestURL from the search results.

    Command

    ... | fields - username, protocol, rfc931, RequestURL

    Output

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |DATA_PATTERN=MyAccess |ResponseSize=100 |RequestType=POST |COLLECTOR=test_http_access.log
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |DATA_PATTERN=MyAccess |ResponseSize=200 |RequestType=PUT |COLLECTOR=test_http_access.log
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |DATA_PATTERN=MyAccess |ResponseSize=150 |RequestType=GET |COLLECTOR=test_http_access.log
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |DATA_PATTERN=MyAccess |ResponseSize=100 |RequestType=GET |COLLECTOR=test_http_access.log

    Back to examples ↑

    Retain particular fields and remove all other fields

    In this example, you use the command to retain the fields RequestType and ResponseCode and remove all other fields.

    Command

    ... | fields RequestType, ResponseCode

    Output

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=200 |DATA_PATTERN=MyAccess |RequestType=POST
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=201 |DATA_PATTERN=MyAccess |RequestType=PUT
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=201 |DATA_PATTERN=MyAccess |RequestType=GET
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=404 |DATA_PATTERN=MyAccess |RequestType=GET

    Back to examples ↑

    Notes

    • Default fields such as HOST, COLLECTOR_NAME, and DATA_PATTERN cannot be removed.
    • You cannot specify a command that uses both plus (+) and minus (-) signs together.

    Related topic

    chgname

    © Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.