Splunk Search Command Series: Table and Fields

In the Splunk search world, table command and the fields commands are really similar, but they have different functions. The fields command allows you to bring back specific fields that live within your data, cutting down the time it takes for Splunk to retrieve the events associated with those fields. The table command does the exact same thing; however, it also lists the fields’ values. Let me show you an example of both of these commands in action. First up: the fields command.

Fields Command

In this first example, notice the search and the fields that it brings back.

Figure 1 - Start with your Splunk search

Figure 1 – Start with your Splunk search

By the way, that search above took a little over 10 seconds to complete. Let’s see how much faster Splunk can retrieve the data once we specify the fields that we’re looking for.

Job inspector results before using the fields command:

Figure 2 - Job Inspector results from Splunk search

Figure 2 – Job Inspector results from Splunk search

The interesting fields that were brought back from the above search:

Figure 3 - Interesting Fields list

Figure 3 – Interesting Fields list

Now that you have seen the interesting fields in the main index and the sourcetype in the above search, let’s say that we are only interested in action, ProductName, file, and JSESSIONID. By using the fields command, we can bring only these four fields back once Splunk completes the search. After that, we’ll check the job inspector to see how much faster Splunk was able to accomplish this search.

Here we have our new search introducing the fields command:

Figure 4 - New search with Splunk fields command

Figure 4 – New search with Splunk fields command

The results from the job inspector after using the fields command:

Figure 5 - Job inspector results with fields command

Figure 5 – Job inspector results with fields command

As you can see, after introducing the fields command to specify what fields we’re interested in, we cut the time Splunk takes to complete the search by almost seven seconds. Notice that Splunk only brought back the fields specified by the fields command.

Figure 7 - Splunk fields command results

Figure 7 – Splunk fields command results

Table Command

Switching gears to the table command. We are going to use the table command on the same four fields that we used in the fields command demonstration. The table command is a transforming command, which means it will take your search results and output the results into a tabular format. Like I mentioned before, it will only bring back fields specified after the command. Let’s take a look at the table command in action.

Here you can see the table command used in the same four fields. The results are now put into a table format displaying the values of the fields specified after the table command.

Figure 7 - Table command results in Splunk

Figure 7 – Table command results in Splunk

There you have it! The fields command and the table command: two very useful and powerful commands that you should definitely add to your arsenal of search commands. Enjoy!

 

Ask the Experts

Our Splunk Search Command Series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!

Author

Start typing and press Enter to search