Skip to content
Article

How To Use Splunk Table and Fields Commands

 

Are you working with the same set of data on a regular basis? Are your searches taking more than a couple of seconds to load? Splunk’s table command and fields command can make this process faster for you. 

These two commands are similar, but they have different functions. In this guide, I’ll walk you through what table and field commands are and how to use them.

 

What is the fields command in Splunk?

The fields command is a Splunk search command that allows you to retrieve specific fields within your data. You can retrieve these fields without conducting a search for all the fields in the data. The benefit of using this command is that it reduces the time it takes for Splunk to retrieve the events associated with those fields.

 

How to Use the Fields Command

Step 1: Start a base search.

In this example, we’re using this search:

index=”splunk_test” sourcetype=”access_combined_wcookie”

Using job inspector, we can see it took about 7.3 seconds to run this search. This search includes all the events associated with each field in this set of data. You can see this on the right-hand side. 

Before Using Splunk Fields Command Search Speed Using the Job Inspector Tool

Step 2: Add the fields command.

index=”splunk_test” sourcetype=”access_combined_wcookie”
|fields JSESSIONID req_time referrer_domain

This fields command is retrieving the raw data we found in step one, but only the data within the fields JSESSIONID, req_time, and referrer_domain.

It took only three seconds to run this search — a four-second difference!After Using the Splunk Fields Command Search Speed Using the Job Inspector Tool

Running the Fields Command and Stats Command Together

You can use the fields and stats commands together for even faster searches. In this example, we’re running a stats command, but excluding a field from the search after we’ve run it.

Let’s start with the base search and the stats command:

index=”splunk_test” sourcetype=”access_combined_wcookie”
|stats count by action, status, JSESSIONID

How to Run the Fields Command and Stats Commands TogetherNext, we’ll include the fields command. We’ll be excluding the count field.

index=”splunk_test” sourcetype=”access_combined_wcookie”
|stats count by action, status, JSESSIONID
|fields - count

Now our search displays all of the same data it displayed before, but without the column dedicated to the count field.How to Use the Fields Command to Exclude a Count Field in Splunk Data

Splunk Tip: The fields command automatically includes the plus (+) so you don’t have to manually type it in when using this search command. This is also why using a minus (-) returns all the fields except those you’ve specified in the search.

 

New call-to-action

 

What is the table command in Splunk?

The table command does the exact same thing as the fields command where it pulls the raw data from a search quickly, using the fields you specify. The difference is that it pulls this data into a tabular format.

 

How to Use the Table Command

Step 1: Start a base search.

In this example, we’re using this search:

index=”splunk_test” sourcetype=”access_combined_wcookie”

Using job inspector, we can see it took about 7.3 seconds to run this search. This search includes all the events associated with each field in this set of data. You can see this on the right-hand side.

Step 2: Add the table command.

index=”splunk_test” sourcetype=”access_combined_wcookie”

|table JSESSIONID req_time referrer_domain

This table command is retrieving the raw data we found in step one, but only the data within the fields JSESSIONID, req_time, and referrer_domain. It’s placing that data in a tabular input.

How to Use the Table Command: Add the Table Command to the Search Bar

Splunk Tip:  The table command can also pull in fields that were not originally in your data — even fields that have been created after your data has been ingested.

Running the Table and Eval Commands Together

You can use the table and eval commands together for even faster searches. In this example, we’re looking for the error check field — this field doesn’t appear in our data until we run the eval command.

Let’s start with the base search and the eval command:

index=”splunk_test” sourcetype=”access_combined_wcookie”

|eval errorcheck=if(status>=400, “error”. “Non-error”}

Remember, the error check field won’t appear unless we search for this data using the eval command.How to Run the Table and Eval Commands Together Using Error Check as an Example Field

Now let’s add the table command so we can see the data in tabular format.

index=”splunk_test” sourcetype=”access_combined_wcookie”

|eval errorcheck=if(status>=400, “error”. “Non-error”} 
|table action errorcheck itemId
How to Use the Table Command in Tabular Format

Running the Stats and Table Commands Together

It’s important to note that the stats and table commands can be used together, but your table command results will be limited because the stats command is a transforming command. Put simply, that means any fields you’ve specified for the stats command will be the only fields that appear in your table, even if there is additional data in the base search.

Here’s what that looks like in practice:

index=”splunk_test” sourcetype=”access_combined_wcookie”

|stats count by action, status, JSESSIONID

|table action status req_timeHow to Run the Stats and Table Commands Together

Here, we can see that req_time has no values because running a transforming command like the stats command, our data is limited to the three fields we’ve specified (action, status, and JSESSIONID). Therefore, our table command can’t pull additional fields outside of the stats command.

 

Table and Fields Commands Made Easy In Splunk

There you have it! The fields command and the table command: two very useful and powerful commands that you should definitely add to your arsenal of search commands. Enjoy! 

Ask the Experts

You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.

Cue Atlas Assessment 30-day free trial: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. You’ll get your report in just 30 minutes.

New call-to-action

Author