---
id: fields
title: fields Search Operator
sidebar_label: fields
description: Use the fields operator to specify which fields to display and their order in query results, reducing clutter from irrelevant fields.
slug: /help/docs/search/search-query-language/search-operators/fields/
canonical: https://www.sumologic.com/help/docs/search/search-query-language/search-operators/fields/
---

import useBaseUrl from '@docusaurus/useBaseUrl';

The `fields` operator allows you to specify which fields to display and their order in the results of a query. Use a fields operator to reduce the "clutter" of a search output that contains fields that aren't completely relevant to your query.

:::info
Using the `fields` operator includes both the specified fields and the default fields (from built-in sources and FERs). However, when `fields =` is used, only the specified fields are included in the query results. Make sure to use the `_messagetime` and `_messagecount` for `fields =` operator to function.
:::

There are two fields operator modes:

* Allowlist - only the fields included are kept in the search output.
* Denylist - all the fields except those you specify to be excluded are in the search output.

To specify the [order of returned fields](#ordering-fields) you must use the fields operator last, at the end of your query.

:::note
Fields are not returned in the specified order in [Search Job API](/docs/api/search-job/) and Webhook results.
:::

## Allowlist

For allowlist mode, only fields you specify for inclusion are kept in the search output. For example, to strip out every field except for method and status_code, your query would be:

```sumo
_sourceCategory=Apache/Access
| parse " \"* " as method
| parse "\" * " as status_code
| fields method, status_code
```

The search results would look like this:  

<img src={useBaseUrl('img/search/searchquerylanguage/search-operators/Fields.png')} alt="Allowlist mode" style={{border: '1px solid gray'}} width="800" />

Allowlist queries allow all system internal fields (fields prefixed with an underscore "_") to pass.

## Denylist

For denylist mode, all fields except for those you explicitly *remove* remain in the search output. Denylist mode is indicated with a minus sign "-" in a query. For example, to only remove the log_level, module, and process_id fields, your query would be:

```sumo
_sourceCategory=*apache*
| fields - log_level, module, process_id
```

Denylist queries will also remove internal fields (fields prefixed with an underscore "_") when specified. For example:

```sumo
_sourceCategory=*apache*
| count by size
| fields - _count
```

Make sure that your query does not repeat or duplicate individual fields, or your search query will fail. 

## Non-aggregate vs. Aggregate Query Results

The fields displayed in query results are different for non-aggregate and aggregate queries.

By default, all non-aggregate query results, which appear in the **Messages** tab, include the # (results list number), Time, and Message field, along with any other fields you have allowlisted in your query.

Aggregate query results, which appear in the **Aggregates** tab, include only the fields that you have specified in your query.

For example, for this non-aggregate query:

```sumo
_sourceCategory=Apache/Access
| parse " \"* " as method
| parse "\" * " as status_code
| fields method, status_code
```

The search results would look like this:

<img src={useBaseUrl('img/search/searchquerylanguage/search-operators/Fields_nonaggr.png')} alt="Non-aggregate query results" style={{border: '1px solid gray'}} width="800" />

While the same query with an added *count by* statement to make it an aggregate query:

```sumo
_sourceCategory=Apache/Access
| parse " \"* " as method
| parse "\" * " as status_code
| count by method, status_code
| fields status_code, method
```

This would provide the following results:

<img src={useBaseUrl('img/reuse/query-search/fields_operator_aggregate.png')} alt="Aggregate query results" style={{border: '1px solid gray'}} width="200" />

## Use a Field Name that Contains Spaces or Special Characters

The Sumo Logic search language allows `a-zA-Z\` as valid characters for identifiers for fields. In cases where a field name contains other characters you need to escape the field name by using the `%` character and wrapping the field name in double quotes. 

Syntax: `%"field_name"`

Here's an example:

```sumo
| "Robot" as %"learning robot .33."
```

This creates a field named "learning robot .33." with the value "Robot".

## Ordering fields

By default, the fields in non-aggregated results are ordered alphabetically. You can specify a different order by using the fields operator.

For example, if you used:

```sumo
| fields status_code, method
```

Sumo displays the **status_code** field first, then the **method** field second.

In an aggregate result, field and column order follows the requested order of the query.

For example, if you used:

```sumo
| count by status_code, method
```

Sumo displays the **status_code** field first, and the **method** field second.