Version: 5.2

fields

Description

Filters the displayed fields.

Syntax

fields <filter-options> <field-list>

Required Arguments

Parameter	Syntax	Description
`<field-list>`	`<field> [, <field>]`	List of fields to be filtered.

Optional Arguments

Parameter	Syntax	Default	Description
`<filter-options>`	`(+\|-)`	`+`	`+` indicates that the listed fields should remain, `-` indicates that the listed fields should be removed from the result.

tip

The + indicator can be omitted.

Example Queries

Example 1

In this example, network_indexes contains information about network events.

As a result of executing this query, the fields event.code and observer.hostname will be displayed.

Example #1
source network_indexes
| fields event.code, observer.hostname

Example 2

In this example, food_orders contains information about orders.

As a result of executing this query, all fields type and operation_status will be displayed. The type field is enclosed in quotes so that the interpreter correctly recognizes the field name.

Example #2
source food_orders
| fields - 'type', operation_status

Example 3

In this example, winevents contains information about Windows event logs.

As a result of executing this query, all fields that start with event and contain target will be displayed.

Example №3
source winevents
| fields event*, *target*

Example 4

In this example, web_indexes contains information about network requests to a web server. The table command forms a tabular output with the specified fields. Then, the eval command calculates the response body size http.response.body.bytes in kilobytes and saves it to a new field kbytes, also included in the tabular output.

Example №4
source web_indexes 
| table @timestamp, user.name, user_agent.name, url.path, http.response.status_code, http.response.body.bytes
| eval kbytes=if(isnull(http.response.body.bytes), "-", round(http.response.body.bytes/1024))

Finally, the fields command filters the final set of fields, excluding from the table the http.response.body.bytes field and fields matching the wildcard patterns *status* and user*.

| fields - http.response.body.bytes, *status*, user*

The query execution result may be the following table:

kbytes	@timestamp	url.path
10	2025-05-30T17:42:39.729492Z	/walk/stove
45	2025-05-30T17:41:53.013623Z	/drink.jpg
9	2025-05-30T17:41:06.937597Z	/fuel
12	2025-05-30T17:42:24.324308Z	/quilt
47	2025-05-30T17:38:23.999864Z	/drink.ico

Description​

Syntax​

Required Arguments​

Optional Arguments​

Example Queries​

Example 1​

Example 2​

Example 3​

Example 4​