In a large environment with numerous log events, you cannot always locate the data fields that are important to you. VMware Aria Operations for Logs (SaaS) supports the creation of fields to use in queries and filters to address this concern. Fields are a powerful way to add structure to unstructured events and allow the manipulation of both the textual and visual representation of data.
Fields are a type of regular expression query useful for complex pattern matching. With fields, you can construct queries or build filters without needing to know, remember, or learn complicated regular expressions.
VMware Aria Operations for Logs (SaaS) supports indexed, content, and extracted fields. Indexed fields are part of your VMware Aria Operations for Logs (SaaS) deployment. Content fields are installed as part of content packs. And extracted, or custom fields, are user created.
Fields are listed in the Fields pane on the Stream tab on the Explore Logs page. Click a field name to find out more about its use in queries, or click Fields Library for additional information about fields.
The Fields Library page lists all VMware Aria Operations for Logs (SaaS) fields, organizing them into two tabs - Found in query results and Other Fields. Each field card indicates the field type and includes icons, which you can click for possible user actions for the field. You can filter fields by their source - Indexed, Extracted, Public Content Pack, and Private Content Pack.
|Field Source||Definition||User Actions|
|Admin permissions||User permissions|
|Indexed||Created by VMware Aria Operations for Logs (SaaS) based on intelligent grouping algorithms applied to received logs and messages.||
|Extracted||Created by VMware Aria Operations for Logs (SaaS) users with admin permissions based on log data. Used to filter and query log events.||
|Content||Defined in a public or private content pack and available for use with queries after the content pack is imported.||
\(\d+\)expression, the query returns all log events that contain numbers in parentheses. Verify that your queries contain as much textual context as possible. For example,
Event for vm\(\d+\)is a better field extraction query.