Fields command in 4.1.2, build 79191 may have a bug?

-3

The fields command in 4.1.2, build 79191 has a bug.

It includes all results from the _* fields even when specified with a "+" operator.

e.g.

fields + src_ip

will include the results from _* fields still

bug search-language

asked 30 May '10, 16:56

rayfoo
178●1●1●9
accept rate: 12%

edited 30 May '10, 22:45

gkanapathy ♦
24.1k●1●6●20

Wow, this question sure is being modded down alright! :P If someone would care to help clarify further about my comment to gkanapathy below...would appreciate it much!

(02 Jun '10, 16:53) rayfoo

One Answer:

oldest newest most voted

You may be misreading the documentation. Using the + option on fields does not remove hidden _* fields from the results (unless explicitly listed): http://www.splunk.com/base/Documentation/latest/SearchReference/Fields says:

The fields command does not remove internal fields unless explicitly specified

link

answered 30 May '10, 22:48

gkanapathy ♦
24.1k●1●6●20
accept rate: 43%

I'm confused, because the same documentation states that... (If + is specified, only the fields that match one of the fields in the list are kept.) And I've been successfully removing all _* fields by using (fields + field1,field2,field3) in previous versions till date.

(01 Jun '10, 15:21) rayfoo

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "title")
image?![alt text](/path/img.jpg "title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

search-language ×314
bug ×27

Asked: 30 May '10, 16:56

Seen: 312 times

Last updated: 30 May '10, 22:48

Fields command in 4.1.2, build 79191 may have a bug?

Follow this question

Splunk Resources

Related questions