In this post, we will discuss some of the core features of Splunk. In particular we will be discussing how the fields operator is different from the table operator. Both of these operator are something that can be specified in the search bar. So they work to project different fields or columns of the data. In the case of the fields operator, raw results are returned that are similar to the original search results but only that that are satisfied by the presence of the fields. If we wish to exclude the fields, we can specify the negative sign as the first argument before the fields.  The presence of the positive sign is optional as it is understood. The table operator works in selecting columns in the way just like any projection operator will do. These are based on enumerating all the available columns and selecting only a few of the columns for projection.  As you can see both the fields as well as the table operator are both similar in selecting fields specified by the user from the available list of fields. These fields have to be those available from the header and or defined by the user. The fields are not restricted in earlier versions to exclude indexed fields or reserved fields. But there is  an argument favoring their exclusion since the users sees the fields extracted anyways and there won't be any change in behavior otherwise. The presence of the indexed fields is different though. The indexed fields are different because they are used and should not be excluded from the search results. Again this means that there won't be any change in behavior to the user because these fields are automatically extracted and displayed to the user. Behind the scenes, how this happens in earlier versions is that the different  reserved fields are added to the operators during the search dispatch internally but just not handled within the processor of the operator itself. So the user doesn't see a change when we remove the explicit addition of some reserved fields when they could have become obsolete or replaced. They would have been better consolidated into the processor logic itself. The most important thing here is that the table and the fields operator have different output formats and a fields operator can specify the table operator to modify the results.