fields search command

This search command retains (+) or removes (-) fields from search results based on the field list specified.

This command uses the following conventions:

  • If you specify a plus sign (+), fields that match one of the fields specified in the command are retained.
  • If you specify a minus sign (-), fields that match one of the fields specified in the command are removed.
  • If you do not specify a plus (+) or a minus sign (-), the command assumes a plus sign (+).

This topic contains the following information:

For a list of all search commands, see Search-commands.

Related topics

chgname-search-command

Getting-started-with-search

Syntax

fields [+] <Field-List>

fields [-] <Field-List>

In the preceding syntax, the following definitions apply:

  • [expression] indicates it is optional.
  • <Field-List> refers to a comma-separated list of fields.

Short examples

Example 1: Remove the fields destHost and ip from the search results.

... | fields - destHost, ip

Example 2: Remove the fields username, protocol, rfc931, and RequestURL from the search results.

... | fields - username, protocol, rfc931, RequestURL

Example 3: Retain the field RequestType and ResponseCode in the search results.

... | fields RequestType, ResponseCode

Long examples

The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the fields command.

Sample data

10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 404 100

10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 150

10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 200

10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png
HTTP/1.1" 200 100

Back to examples ↑

Sample indexed data

10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png
HTTP/1.1" 200 100

HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |RequestType=POST|RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 200

HOST=local.bmc.com |ResponseSize=200|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |RequestType=PUT|RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 150

HOST=local.bmc.com |ResponseSize=150|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 404 100

HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png

Back to examples ↑

Remove particular fields

In this example, you use the command to remove the fields username, protocol, rfc931, and RequestURL from the search results.

Command

... | fields - username, protocol, rfc931, RequestURL

Output

10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png
HTTP/1.1" 200 100

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |DATA_PATTERN=MyAccess |ResponseSize=100 |RequestType=POST |COLLECTOR=test_http_access.log

10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 200

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |DATA_PATTERN=MyAccess |ResponseSize=200 |RequestType=PUT |COLLECTOR=test_http_access.log

10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 150

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |DATA_PATTERN=MyAccess |ResponseSize=150 |RequestType=GET |COLLECTOR=test_http_access.log

10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 404 100

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |DATA_PATTERN=MyAccess |ResponseSize=100 |RequestType=GET |COLLECTOR=test_http_access.log

Back to examples ↑

Retain particular fields and remove all other fields

In this example, you use the command to retain the fields RequestType and ResponseCode and remove all other fields.

Command

... | fields RequestType, ResponseCode

Output

10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png
HTTP/1.1" 200 100

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=200 |DATA_PATTERN=MyAccess |RequestType=POST

10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 200

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=201 |DATA_PATTERN=MyAccess |RequestType=PUT

10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 150

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=201 |DATA_PATTERN=MyAccess |RequestType=GET

10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 404 100

HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=404 |DATA_PATTERN=MyAccess |RequestType=GET

Back to examples ↑

Notes

  • Default fields such as HOST, COLLECTOR_NAME, and DATA_PATTERN cannot be removed.
  • You cannot specify a command that uses both plus (+) and minus (-) signs together.

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*