In a large environment with numerous log events, you cannot always locate the data fields that are important to you.VMware Log Intelligence supports the creation of fields to use in queries and filters to address this concern. Fields are a powerful way to add structure to unstructured events and allow the manipulation of both the textual and visual representation of data.

Fields are a type of regular expression query useful for complex pattern matching. With fields, you can construct queries or build filters without needing to know, remember, or learn complicated regular expressions.

VMware Log Intelligence supports indexed, content, and extracted fields. Indexed fields are part of your VMware Log Intelligence deployment. Content fields are installed as part of content packs. And extracted, or custom fields, are user created.

Fields are listed in the Fields pane on the Stream tab on the Explore Logs page. Click a field name to find out more about its use in queries, or click the gear icon to go to the Fields page for information about the field's definition.

The Fields page lists all VMware Log Intelligence fields, organizing them into two groups: Query Results. and Other Fields. Field cards tell you the field type and include a menu of possible user actions for the field.

Table 1. Types of fields in VMware Log Intelligence

Field Type

Definition

User Actions

Admin permissions

User permissions

Indexed

Created by VMware Log Intelligence based on intelligent grouping algorithms applied to received logs and messages.

  • None

  • None

Content

Defined in a content pack and available for use with queries after the content pack is imported.

  • Clone

  • View

Extracted or custom

Created by VMware Log Intelligence users with admin permissions based on log data. Used to filter and query log events.

  • Edit

  • Clone

  • Delete

  • View

Note:

Generic custom queries might be slow. For example, if you attempt to extract a field by using the \(\d+\) expression, the query returns all log events that contain numbers in parentheses. Verify that your queries contain as much textual context as possible. For example, Event for vm\(\d+\) is a better field extraction query.