Skip to main content
Sumo Logic

fields

The fields operator allows you to choose which fields are displayed in the results of a query. Use a fields operator to reduce the "clutter" of a search output that contains fields that aren't completely relevant to your query.

There are two fields operator modes:

  • Whitelist - only the fields included are kept in the search output.
  • Blacklist - all the fields except those you specify to be excluded are in the search output.

Whitelist

For whitelist mode, only fields you specify for inclusion are kept in the search output. For example, to strip out every field except for method and status_code, your query would be:

_sourceCategory=Apache/Access 
| parse using public/apache 
| fields method, status_code

The search results would look like this:

Fields

Whitelist queries allow all system internal fields (fields prefixed with an underscore "_") to pass.

Blacklist

For blacklist mode, all fields except for those you explicitly remove remain in the search output. Blacklist mode is indicated with a minus sign "-" in a query. For example, to only remove the log_level, module, and process_id fields, your query would be:

_sourceCategory=*apache* 
| parse using public/apache 
| fields - log_level, module, process_id

 

Blacklist queries will also remove internal fields (fields prefixed with an underscore "_") when specified. For example:

_sourceCategory=*apache* 
| parse using public/apache 
| count by size 
| fields - _count

Make sure that your query does not repeat or duplicate individual fields, or your search query will fail. 

Non-aggregate vs. Aggregate Query Results

The fields displayed in query results are different for non-aggregate and aggregate queries.

By default, all non-aggregate query results, which appear in the Messages tab, include the # (results list number), Time, and Message field, along with any other fields you have whitelisted in your query.

Aggregate query results, which appear in the Aggregates tab, include only the fields that you have specified in your query.

For example, for this non-aggregate query:

_sourceCategory=Apache/Access
| parse using public/apache
| fields method, status_code

The search results would look like this:

Fields_nonaggregate

While the same query with an added count by statement to make it an aggregate query:

_sourceCategory=Apache/Access
| parse using public/apache
| count by method, status_code
| fields status_code, method

This would provide the following results:

Use a Field Name that Contains Spaces or Special Characters

The Sumo Logic search language allows 'a-zA-Z_' as valid characters for identifiers for fields. In cases where a field name contains other characters you need to escape the field name by using the % character and wrapping the field name in double quotes. 

Syntax:    %"field_name"

Here's an example:

| "Robot" as %"learning robot .33."

This creates a field named "learning robot .33." with the value "Robot".