fields

Description

The fields command specifies which fields (columns) to include in or exclude from the search results. It operates in two modes:

• Include mode (+, default) - keeps only the listed fields and drops everything else.
• Exclude mode (-) - removes the listed fields and keeps everything else.

Use fields to reduce clutter, focus on relevant data, and improve query performance by limiting the amount of data transferred.

Syntax

fields [+|-] <field-list>

Arguments

Argument	Required	Description
<field-list>	Yes	A comma-delimited or space-delimited list of field names. Supports wildcard patterns (*).
+ or -	No	+ (include mode, default) keeps only the listed fields. - (exclude mode) removes the listed fields from the output.

Usage notes

• Reduces data transfer: Selecting only the fields you need reduces the amount of data returned from OpenSearch, which can significantly improve query performance for wide indices with many fields.
• Wildcard patterns: Use * to match field names by prefix (severity*), suffix (*Id), or substring (*attr*). Wildcards are expanded against the index schema.
• Field order: The order of fields in the output matches the order you specify in the fields command.
• Automatic deduplication: If a field is both explicitly listed and matched by a wildcard pattern, it appears only once in the output.
• Backtick-quoted field names: OTel fields with dots in their names (e.g., resource.attributes.service.name) must be enclosed in backticks (`) to prevent them from being interpreted as nested field access. For example: `resource.attributes.service.name`.
• Space or comma delimiters: Fields can be separated by commas, spaces, or a mix of both. All three forms are equivalent: fields a, b, c, fields a b c, fields a, b c.
• Multiple fields commands: You can chain fields commands. For example, first include a broad set, then exclude specific fields from that set.
• Full wildcard: Use fields * or fields `*` to select all fields in the index schema, including fields with null values. Use the backtick form if the plain * does not return all expected fields.

Basic examples

Select specific fields

Return only the timestamp, log body, and severity from log results:

source=logs-otel-v1*
| fields time, body, severityText

Try in playground →

Exclude a field

Start with a set of fields, then remove one:

source=logs-otel-v1*
| fields time, body, severityText, traceId
| fields - traceId

Try in playground →

Space-delimited syntax

Fields can be separated by spaces instead of commas:

source=logs-otel-v1*
| fields time body severityText

Try in playground →

Prefix wildcard

Select all fields whose names start with severity:

source=logs-otel-v1*
| fields severity*

Try in playground →

Suffix wildcard

Select all fields whose names end with Id:

source=logs-otel-v1*
| fields *Id

Try in playground →

Extended examples

Select OTel log fields with backticks

When working with OpenTelemetry data, field names contain dots. Use backticks to reference them correctly.

source=logs-otel-v1*
| where severityText = 'ERROR'
| fields time, body, severityText, `resource.attributes.service.name`, `attributes.gen_ai.operation.name`
| head 20

Try in playground →

Exclude verbose fields for a clean log view

Remove high-cardinality or noisy fields to focus on the essentials during an investigation. This is especially useful when browsing raw log data in Discover.

source=logs-otel-v1*
| where severityNumber >= 17
| fields - `attributes.event.domain`, `attributes.event.name`, instrumentationScope
| head 50

Try in playground →

Wildcard to select attribute groups

Use a wildcard pattern to grab all GenAI-related attributes at once:

source=logs-otel-v1*
| where ISNOTNULL(`attributes.gen_ai.operation.name`)
| fields time, body, `attributes.gen_ai*`
| head 20

Try in playground →

See also

• search - The starting point of every PPL query
• where - Filter results using boolean expressions
• PPL Commands - Full command reference