In the Splunk search world, table command and the fields commands are really similar, but they have different functions. The fields command allows you to bring back specific fields that live within your data, cutting down the time it takes for Splunk to retrieve the events associated with those fields. The table command does the exact same thing; however, it also lists the fields’ values. Let me show you an example of both of these commands in action. First up: the fields command.
In this first example, notice the search and the fields that it brings back.
By the way, that search above took a little over 10 seconds to complete. Let’s see how much faster Splunk can retrieve the data once we specify the fields that we’re looking for.
Job inspector results before using the fields command:
The interesting fields that were brought back from the above search:
Now that you have seen the interesting fields in the main index and the sourcetype in the above search, let’s say that we are only interested in action, ProductName, file, and JSESSIONID. By using the fields command, we can bring only these four fields back once Splunk completes the search. After that, we’ll check the job inspector to see how much faster Splunk was able to accomplish this search.
Here we have our new search introducing the fields command:
The results from the job inspector after using the fields command:
As you can see, after introducing the fields command to specify what fields we’re interested in, we cut the time Splunk takes to complete the search by almost seven seconds. Notice that Splunk only brought back the fields specified by the fields command.
Switching gears to the table command. We are going to use the table command on the same four fields that we used in the fields command demonstration. The table command is a transforming command, which means it will take your search results and output the results into a tabular format. Like I mentioned before, it will only bring back fields specified after the command. Let’s take a look at the table command in action.
Here you can see the table command used in the same four fields. The results are now put into a table format displaying the values of the fields specified after the table command.
There you have it! The fields command and the table command: two very useful and powerful commands that you should definitely add to your arsenal of search commands. Enjoy!
Ask the Experts
Our Splunk Search Command Series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!