The Field Browser appears on the left side of the Messages tab of the Search page for both aggregate and non-aggregate queries. The Field Browser allows you to zero in on just the fields of interest in a search by displaying or hiding selected fields without having to parse them. You can focus on the fields you’re interested in, avoiding the “noise” of fields you don’t want to see.
For non-aggregate queries, the Field Browser is useful for narrowing results on searches, or when you're not sure which fields are in a log type, in a Partition, or in a Scheduled View. You can run a search with a larger scope and then refine the list of displayed fields to find the data you're looking for.
How the Field Browser works
The Field Browser displays the number of values for each field returned in a search. It works in real time, so you can fine tune the fields you want to view or hide. After setting the fields to display, save your preferences so that the correct fields are always displayed in your searches. The preferences are saved just for your user account and don’t change the way data is displayed in other user accounts.
In addition to the fields found in your logs, the Field Browser shows Time (for message time), Receipt Time (for the receipt time), and Message (for raw log messages). No drill-down searches can be run on these fields because they don't contain number or string data that can be searched on.
- List of fields shown in the Messages tab.
- Indicates a Timestamp field.
- List of fields hidden from view.
- Indicates that the field contains a text string.
- Indicates that the field contains numerical data.
- Click to save the settings for this search.
- Displays the count of a field. Available for non-aggregate queries only.
The Field Browser is limited for aggregate queries in the following ways:
- Drill-down searches are not available for aggregate queries.
- Field counts (item G above) are not displayed for aggregate queries.
- If a query returns more than 100,000 messages, the field counts are approximate. Beyond that volume of messages, for performance reasons, Sumo uses heuristics to estimate field counts. In that case, a yellow icon appears near the top of the Field Browser, as shown below.