fields

Include or exclude specific fields from results. Control which fields are visible in output.

Description

The fields command selects which fields to keep or remove from results. Use + to include only specified fields, or - to exclude specified fields while keeping all others.

Unlike table, which explicitly defines output order, fields simply filters which fields are present.

Syntax

... | fields [+|-] <field> [, <field> ...]

Required Arguments

field
One or more field names to include or exclude

Optional Arguments

+ or -
Syntax: + or - prefix
Description: + to keep only listed fields, - to remove listed fields
Default: + (include mode)

Examples

Keep specific fields

* | fields timestamp, user, action, src_ip

Remove fields

* | fields - _raw, _internal_*

Include mode (explicit)

* | fields + user, src_ip, dest_ip

Remove sensitive data

* | fields - password, ssn, credit_card

Keep only network fields

* | fields + src_ip, dest_ip, src_port, dest_port, protocol, bytes

Remove enrichment fields

* | fields - enriched_*, prevalence_*

Minimal output

* | fields timestamp, message

After aggregation

* | stats count() as events, sum(bytes) as bytes by src_ip, dest_ip
  | fields src_ip, events

Usage Notes

Include vs exclude: + keeps only listed fields. - removes listed fields but keeps all others.

Wildcards: Not supported. Must list each field explicitly.

Performance: Removing fields early can improve performance by reducing data transfer.

vs. table: Use fields to filter, table to define exact output order and aliases.

Related Commands

• table - Display specific fields with ordering
• rename - Rename fields
• eval - Create new fields