The Field Browser appears on the left side of the Messages tab of the Search page for both aggregate and non-aggregate queries. The Field Browser allows you to zero in on just the fields of interest in a search by displaying or hiding selected fields without having to parse them. You can focus on the fields you’re interested in, avoiding the “noise” of fields you don’t want to see.
For non-aggregate queries, the Field Browser is useful for narrowing results on searches, or when you're not sure which fields are in a log type, in a Partition, or in a Scheduled View. You can run a search with a larger scope and then refine the list of displayed fields to find the data you're looking for.
How the Field Browser works
The Field Browser displays the number of values for each field returned in a search. It works in real time, so you can fine tune the fields you want to view or hide. After setting the fields to display, save your preferences so that the correct fields are always displayed in your searches. The preferences are saved just for your user account and don’t change the way data is displayed in other user accounts.
In addition to the fields found in your logs, the Field Browser shows Time (for message time), Receipt Time (for the receipt time), and Message (for raw log messages). No drill-down searches can be run on these fields because they don't contain number or string data that can be searched on.
- Search for fields by entering text in this field.
- List of Fields shown in the Messages tab.
- Indicates a Timestamp field.
- List of Fields that are hidden from view.
- Indicates that the field contains a text string.
- Indicates that the field contains numerical data.
- Click to save the settings for this search.
- Displays the count of a field. Available for non-aggregate queries only.
- Tilde (~) in front of a count value indicates that the value is approximate. If the number of parsed messages is less than or equal to 2500, an exact value is shown in the Field Browser. If the number of parsed messages exceeds 2500, an approximation is shown.
To show absolute values in the Field Browser
- In Sumo Logic left navigation bar, go select Manage > Developers.
- In the list that appears, find UIFacetBrowsingAbsoluteValues.
- Toggle to Enabled.
Search for fields
You can search for fields in the Field Browser, a feature that is especially useful when you have hundreds of fields parsed from messages. As you enter a text string in the Search field, results dynamically appear in the list below. The following guidelines apply:
- Search is case sensitive
- Search criteria is shown for Display Fields and Hidden Fields
- Search results will highlight matching characters
In our example, we entered ka in the Search field and instantly received the following results.
Nested field groupings
Nested fields, such as those seen in JSON and KV, are grouped together based on their innate structure that is easy to traverse. We have used a JSON nested structure in the following example.
The Field Browser is limited for aggregate queries in the following ways:
- Drill-down searches are not available for aggregate queries.
- Field counts (item G above) are not displayed for aggregate queries.
- Field counts—If messages returned are less than or equal to 2500 messages, then an exact calculation is shown. If more than 2500 messages are returned, an approximation is shown.