Field Extractions

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Field extractions allow you to parse fields from your log messages at the time the messages are ingested, which eliminates the need to parse fields at the query level. With Field Extraction Rules (FERs) in place, users can use the pre-parsed fields for ad-hoc searches, scheduled searches, real-time alerts, and dashboards. In addition, field extraction rules help standardize field names and searches, simplify the search syntax and scope definition, and improve search performance.

Note that fields are extracted from the time you create your FER moving forward. Therefore, set your FERs early on to take advantage of this automatic parsing mechanism.

For best practices on naming your fields, see Field Naming Convention.

Settings page july 2019.png

The Manage Data > Settings > Field Extraction Rules page displays the following information:

Field extraction rule status, either enabled or disabled
Rule Name
Rule Scope
Rule Fields
Created date and time by user
Last modified date and time by user

On the Manage Data > Settings > Field Extraction Rules page you can:

Create a Field Extraction Rule
Search Field Extraction Rules
Run a Search against extracted fields
Edit a Field Extraction Rule
Delete a Field Extraction Rule
See Details of a Field Extraction Rule
Disable a Field Extraction Rule

Limitations

There is a limit of 50 Field Extraction Rules and 200 fields. The 200-field limit is per account, and deleting rules does not create more space. Fields created as log metadata and from Field Extraction Rules share the same quota of 200 fields.
Field Extraction Rules are limited to a maximum of 16k (16,384) characters.
Because fields are parsed at the time of data ingestion, Field Extraction Rules only apply to data moving forward. If you want to parse data ingested before the creation of your FER, you can either parse your data in your query, or create Scheduled Views to extract fields for your historical data.

Topics