Does the fields command support globbing/wildcard ...

chris · ‎12-05-2013

Im trying to reduce the fields of my resultset by using the fields command with the '-' option. This does not appear to work:

index=* | head 10 | eval ip="194.10.10.10" | table ip,_time | geoip ip | fields - ip_*

I can get around the problem for this case by searching differently:

index=* | head 10 | eval ip="194.10.10.10"  | geoip ip  | table ip,_time

...but I'm trying to find out how field command works.

The documentation shows an example where the * can be used if you want to keep fields (without using the '-').

This does work

index=* | head 10 | eval ip="194.10.10.10" | table ip,_time | geoip ip | fields ip_l*

This does not work:

index=* | head 10 | eval ip="194.10.10.10" | table ip,_time | geoip ip | fields - ip_l*

Any Ideas?

Thanks
Chris

HattrickNZ · ‎02-24-2016

using 6.3.
having a similar issue:

For clarification:
| fields ip_l* this wild card will work in showing all the fields ip_l
but if I try and remove them.
| fields - ip_l* this does not remove the columns/field but it does remove the values in them columns ip_l*. I want the fields/columns to be removed as well.

hmmm....

alacercogitatus · ‎12-05-2013

This works for me. What version are you using?

chris · ‎12-05-2013

Hi Ayn, you're right. I forgot to insert the '-' option to the last command. I updated the question.

Ayn · ‎12-05-2013

The two last examples seem to be identical?

Does the fields command support globbing/wildcard matching?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes