Skip to main content
Sumo Logic

Search Metadata

Sumo Logic attaches metadata tags to your log messages when the data is collected, which can be useful when you're searching log data. The tags allow you to quickly identify the Collector or Source the data was ingested from, the type of logs, and so on.

Some metadata fields are determined by the values you enter when installing a Collector or configuring a Source; these fields can be edited at any time.

What metadata fields can I search?

You can run queries using any of the following Sumo Logic metadata fields:

Name Description
_collector The name of the Collector (set when the Collector was installed) that received the log message.
_messageCount A sequence number (per Source) added by the Collector when the message was received.
_messageTime The timestamp of the message. If the message doesn't have a timestamp, messageTime uses the receiptTime.
_raw The raw log message.
_receiptTime The time the Collector received the message.
_size The size of the log message.
_source The name of the Source, determined by the name you entered when you configured the Source.
_sourceCategory The category of the Source that collected the log message.
_sourceHost

The host name of the Source. For local Sources the name of the Source is set when you configure the Source. For remote Collectors, this field uses the remote host's name.

The _sourceHost metadata field is populated using a reverse DNS lookup. If the name cannot be resolved,  _sourceHost is displayed as localhost.

_sourceName The name of the log file, determined by the path you entered when you configured the Source.

Searching metadata

To search using metadata:

  1. As part of the keyword expression before the first pipe, enter the metadata type using its field name.
  2. Add an equals sign (=).
  3. Add the metadata string you want to search against. A few tips:
    • Add wildcards at the front and back of any partial term or string to capture the most results.
    • If your metadata contains spaces, quote the string and type the text exactly as entered at Source configuration time.
    • Quotes and wildcards cannot be used together.

This table shows some examples and a description of each metadata type.

Example Description
  • _collector=Mac_server
  • _collector=AWS_1*

Returns results from the named Collector only. Entered when a Collector is installed and activated.

  • _source=main_web_app
  • _source=*syslog*

Returns results from the named Source only. Entered when a Source is configured.

  • _sourceCategory=*apache*
  • _sourceCategory="Security Logs"

Returns results from one or more Sources depending on whether the tag was applied to a single Source or a series of Sources. Entered when a Source is configured. 

  • _sourceHost=hostname
  • _sourceHost=*RAS*

Usually returns results from one Source, unless a value is entered at the Collector level for a Collector with more than one Source.

If the field is left blank when a Source is configured, the value for Source Host is taken from the host system value. A custom value can be entered at the Source or Collector configuration. Metadata values entered at Source level override Collector values. 

  • _sourceName=path/to/file/
  • _sourceName=*path* 


     

Returns results from one or more Source paths. Entered when a Source is configured. Note that the metadata field _sourceName is not the name of the Source, but the file path. 

In the Messages tab, each message displays its metadata tags:
 

Search different values of a metadata field in the same query

To search more than one value of the same metadata field, you can use the conditional operator OR.

Metadata fields follow the same rules as Keyword Search Expressions.

For example:

(_sourceCategory=*apache* or _sourceCategory="Security Logs")