Skip to main content
Sumo Logic

Create a Field Extraction Rule

You can create a field extraction rule of your own from scratch, or depending on your data source, you can use one of our templates that we provide in the drop-down menu.

You need the Manage field extraction rules role capability to create a field extraction rule.


  • There is a limit of 50 Field Extraction Rules and 200 fields. Fields created as log metadata and from Field Extraction Rules share the same quota of 200 fields. You can manage your fields on the Fields page.
  • Field Extraction Rules are limited to a maximum of 16k (16,384) characters.
  • Because fields are parsed at the time of data ingestion, Field Extraction Rules only apply to data moving forward. If you want to parse data ingested before the creation of your FER, you can either parse your data in your query, or create Scheduled Views to extract fields for your historical data.  

Creating a new Field Extraction Rule

To create a Field Extraction Rule:

  1. Go to Manage Data > Settings > Field Extraction Rules.
  2. Click Add.
  3. Enter the following options:
    • Rule Name. Type a name that makes it easy to identify the rule.
    • Scope. Type keywords and built-in metadata fields that point to the subset of logs you'd like to parse. Think of the Scope as the first portion of an ad hoc search, before the first pipe ( | ). You'll use the Scope to run a search against the rule. Custom metadata fields are not supported here, they have not been indexed to your data yet at this point in collection.
    • Parse Expression. 
      • Type a valid parse expression with supported parse and search operators.
        Because fields are associated with the Rule Name, you can parse one particular field into as many rules as you'd like.
        For example, to parse a single field, you could use a definition similar to this: 
        parse "message count = *," as msg_count 
        To parse multiple fields, you could use a definition similar to this: parse "[hostId=*] [module=*] [localUserName=*] [logger=*] [thread=*]" as hostId, module, localUserName, logger, thread
      • Or select a Parse Template.
    • Templates. See Create a Field Extraction Rule Using a Template below for more information.
  4. Click Add.
    create field extraction rule.png

Create a Field Extraction Rule Using a Template

Instead of creating a parse expression, you can select a template from the list, preview it, and then click to apply it. The template will overwrite any existing parse expression.

To create a new Field Extraction Rule with a Template:

  1. Go to Manage Data > Settings > Field Extraction Rules.
  2. Click Add.
  3. Enter the Rule Name and Scope.
  4. Click the drop down under Parsed template to see the available templates.
  5. Choose a template and click Use Template. The template is applied to the Parse Expression.
  6. Review the applied Parse Expression.
  7. Extracted Fields shows the field names the rule will parse. Select the fields you want the rule to assign. Any fields that do not exist in the Field table schema are shown with the text "New" highlighted in green. Selecting a new field will automatically create the field in the table schema. You can view and manage the field table schema on the Fields page.
  8. Click Save to create the rule.

Best practices for designing Rules

Include the most accurate keywords to identify the subset of data from which you want to extract data. Lock down the scope as tightly as possible to make sure it's extracting just the data you want, nothing more. Using a broader scope means that Sumo Logic will inspect more data for the fields you'd like to parse, which may mean that fields are extracted when you don't actually need them.

Create multiple, specific rules. Instead of constructing complicated rules, create multiple rules with basic scope, then search on more than one (rules are additive). The OR and AND commands are supported, just as in any search. For example, you could use one rule to parse Apache log response codes, and then use another rule to parse response time. When used together, you can get all of the information you may need.

Don't extract fields you don't need. Extract the minimum number of fields that should all be present in logs. Every field you include in the scope shows up in every search, so including extra fields means you'll see more results than you may need. It's better to create more rules that extract the fields that are most commonly used. First, look at common data sources and see what's most frequently extracted. Then, think about what you most frequently parse from those sources, then create rules to automatically extract those fields.

Create multiple parse nodrop statements in an FER for a field name to match distinct log patterns. The different parse statements will effectively function like an OR statement since only one will match the log message and return the field value.

Test the scope before creating the rule. Make sure that you can extract fields from all messages you need to be returned in search results. Test them by running a potential rule as a search.

Make sure all fields appear in the Scope you define. When Field Extraction is applied to data, all fields must be present to have any fields indexed; even if one field isn't found in a message, that message is dropped from the results. In other words, it's all or nothing. For multiple sets of fields that are somewhat independent, make two rules.

Re-use field names in multiple FERs if scope is distinct and separate and not matching same messages. To save space and allow for more FERs within your 200 field limit, you can re-use the field names as long as they are used in non-overlapping FERs. 

Avoid targeting the same field name in the same message with multiple FERs. When more than one FER targets the same message with the same field name, one of the rules will NOT apply. The rule applied to the specific field name is randomly selected. Don't use the same field names in multiple FERs that target the same messages.

Supported parsing and search operators

The following operators can be used as part of the Parse Expression in a Field Extraction rule.

  • parse regex
  • parse anchor
  • parse nodrop
  • csv
  • fields
  • json
  • keyvalue
  • num