VMware Aria Operations for Logs (SaaS) uses certain fields for internal processing. If such fields are detected during log ingestion, they conflict with the internal fields, resulting in some of the logs being dropped. To handle this conflict, VMware Aria Operations for Logs (SaaS) takes appropriate actions on such field names to ensure that the corresponding logs are not dropped.

The logs displayed on the Stream tab of the Explore Logs page appear with the incoming or remapped field names, depending on the action taken to avoid conflicts.

Field Name Action Taken
id This field appears as id_message_payload.
_version_ This field appears as _version_message_payload
timestamp This field appears as:
  • log_timestamp if the field value can be parsed.
  • timestamp_message_payload if the field value cannot be parsed.
log_timestamp This field appears as:
  • log_timestamp if the field value can be parsed.
  • log_timestamp_message_payload if the field value cannot be parsed.
ingest_timestamp This field appears as:
  • log_timestamp if the field value can be parsed.
  • ingest_timestamp_message_payload if the field value cannot be parsed.
event_type This field appears as event_type_message_payload
parsing_failed This field appears as parsing_failed_message_payload
removed_fields This field appears as removed_fields_message_payload
symphony_tenant_id This field appears as symphony_tenant_id_message_payload
<key>_dv This field appears as <key>
Note:
  • The field names are not case-sensitive.
  • If a field with the same name appears multiple times within a single payload, the last value overrides the other values.
  • If a payload contains timestamp, log_timestamp, and ingest_timestamp fields, and all the field values can be parsed, the log_timestamp field displayed in the Explore Logs page is assigned the value of the incoming log_timestamp field from the payload.
The following formats are considered parsable for timestamp, log_timestamp, and ingest_timestamp fields:
  • yyyy-MM-dd'T'HH:mm:ss*SSSZZZZ
  • yyyy MMM dd HH:mm:ss.SSS zzz
  • MMM dd HH:mm:ss ZZZZ yyyy
  • dd/MMM/yyyy:HH:mm:ss ZZZZ
  • MMM dd, yyyy hh:mm:ss a
  • MMM dd yyyy HH:mm:ss
  • MMM dd HH:mm:ss yyyy
  • MMM dd HH:mm:ss ZZZZ
  • MMM dd HH:mm:ss
  • yyyy-MM-dd'T'HH:mm:ssZZZZ
  • yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
  • yyyy-MM-dd HH:mm:ss ZZZZ
  • yyyy-MM-dd HH:mm:ssZZZZ
  • yyyy-MM-dd HH:mm:ss,SSS
  • yyyy/MM/dd*HH:mm:ss
  • yyyy MMM dd HH:mm:ss.SSS*zzz
  • yyyy MMM dd HH:mm:ss.SSS
  • yyyy-MM-dd HH:mm:ss,SSSZZZZ
  • yyyy-MM-dd HH:mm:ss.SSS
  • yyyy-MM-dd HH:mm:ss.SSSZZZZ
  • yyyy-MM-dd'T'HH:mm:ss.SSS
  • yyyy-MM-dd'T'HH:mm:ss
  • yyyy-MM-dd'T'HH:mm:ss'Z'
  • yyyy-MM-dd'T'HH:mm:ss.SSS
  • yyyy-MM-dd'T'HH:mm:ss
  • yyyy-MM-dd*HH:mm:ss:SSS
  • yyyy-MM-dd*HH:mm:ss
  • yy-MM-dd HH:mm:ss,SSS ZZZZ
  • yy-MM-dd HH:mm:ss,SSS
  • yy-MM-dd HH:mm:ss
  • yy/MM/dd HH:mm:ss
  • yyMMdd HH:mm:ss
  • yyyyMMdd HH:mm:ss.SSS
  • MM/dd/yy*HH:mm:ss
  • MM/dd/yyyy*HH:mm:ss
  • MM/dd/yyyy*HH:mm:ss*SSS
  • MM/dd/yy HH:mm:ss ZZZZ
  • MM/dd/yyyy HH:mm:ss ZZZZ
  • HH:mm:ss
  • HH:mm:ss.SSS
  • HH:mm:ss,SSS
  • dd/MMM HH:mm:ss,SSS
  • dd/MMM/yyyy:HH:mm:ss
  • dd-MMM-yyyy HH:mm:ss
  • dd-MMM-yyyy HH:mm:ss.SSS
  • dd MMM yyyy HH:mm:ss
  • dd MMM yyyy HH:mm:ss*SSS
  • MMdd_HH:mm:ss
  • MMdd_HH:mm:ss.SSS
  • MM/dd/yyyy hh:mm:ss a:SSS
  • MM/dd/yyyy hh:mm:ss a