Skip to main content

fields

Include or exclude fields from the event stream.

Syntax

| fields [+|-] <field> [, <field> ...]

+ (default): Include only these fields
-: Remove these fields

Examples

-- Include specific fields
| fields source, level, message

-- Remove fields
| fields - _raw, _id

-- Keep only what you need
level=error | fields + _time, source, message

Notes

fields without a prefix defaults to include mode (same as fields +).
fields + is equivalent to table.
The optimizer uses field lists for column pruning, reducing I/O.

See Also

table -- Select and order columns
rename -- Rename fields

Syntax
Examples
Notes
See Also