Field extractions allow you to parse fields from your log messages at the time the messages are ingested, which eliminates the need to parse fields at the query level. With Field Extraction Rules (FERs) in place, users can use the pre-parsed fields for ad-hoc searches, scheduled searches, real-time alerts and dashboards. In addition, field extraction rules help standardize field names and searches, simplify the search syntax and scope definition, and improve search performance.
Note that fields are extracted from the time your create your FER moving forward. Therefore, set your FERs early on to take advantage of of this automatic parsing mechanism.
For best practices on naming your fields, see Field Naming Convention.
The Manage > Data Configuration > Field Extraction Rules (Manage > Field Extractions in the classic UI) page displays the following information:
- Field extraction rule status, enabled or disabled.
- Rule Name.
- Rule Scope.
- Rule Fields.
On the Manage > Data Configuration > Field Extraction Rules page you can: