Output only specific field values to CLI

jones4bob · ‎06-23-2010

I'm trying to pull data from the CLI to pipe to awk to pipe to ... I can't seem to find the correct syntax to say, for example, just pull a single field from a record, rather than pulling everything in each event. Older examples seem to indicate that I can pipe the search to 'fields + field1 field2' but this still only produces the entire event information. What am I missing?

gkanapathy · ‎06-23-2010

you can also use the table search command instead of fields.

swdonline · ‎03-30-2012

Interestingly, in 4.3.1, when I use this for the cli (which works fine in the GUI):
table a b c d e
I get these results:
a d e b c
Why would table return fields in a different order from the CLI?

jones4bob · ‎06-23-2010

I think I've found what I was looking for.

The syntax for pulling specific fields appears to need to work like this: fields field1 field2 | fields - _*

It looks like that last pipe to fields is needed to remove the remainder of the fields from the search result. This worked for me and produced the desired output for awk to process.

Output only specific field values to CLI

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases