Skip to main content

Field Naming Convention

Sumo Logic recommends using the following naming convention for standard fields. This best practice creates standardization across your deployment for use with Field Extraction Rules (FER), Searches and Dashboards, makes it easier for users to recognize fields by their names, and can even improve search performance.

For example, if you create your own FER for Source IP, and at some point you want to count by Source IPs across multiple Sources, you can easily do so because you've used the same name for the field across all Sources. In your query, simply use:

| count by src_ip

Another benefit of using the standard field naming convention is that Sumo Logic Apps are created using this naming convention. So if you use it too, your queries will match those of the Sumo Logic Apps’ pre-configured searches and Dashboards.

If you cannot use all the naming conventions for standard fields, we recommend that you at least use the field name conventions for the following:

  • Source Hosts
  • Destination Hosts
  • IP address
  • user

Source Information

Field NameDescription
src_hostSource Host (name or IP)
src_interfaceSource Interface
src_ipSource IP
src_portSource Port (string type)
src_userSource Username
src_zoneSource Zone (mostly for firewall messages)

Destination Information

Field NameDescription
dest_hostDestination Host (name or IP)
dest_ipDestination IP
dest_portDestination Port (string type)
dest_userDestination Username
dest_zoneDestination Zone (mostly for firewall messages)
userAlso Destination Username (for backward compatibility)

Reporting Device

Field NameDescription
reporting_deviceThe hostname of the reporting device, such as a firewall, router, or switch
reporting_device_ipThe IP address of the reporting device

Network Information

Field NameDescription
bytesNumber of bytes sent and received
bytes_recvBytes received
bytes_sentBytes sent

IDS

Field NameDescription
applicationApplication
categoryThreat category, such as virus or Trojan
threatThreat name, for example, virus
vulnerabilityVulnerability

Antivirus

Field NameDescription
applicationApplication
categoryThreat category, such as virus or Trojan
threatThreat name, for example, virus
vulnerabilityVulnerability

Activity

Field NameDescription
actionFinal action by the device, such as blocked, dropped, or passed by firewall
orig_actionThe original (first) action by the device

Miscellaneous

Field NameDescription
countUsed to save some aggregated number (type: int)
device_productThe product name, for example, Windows 2012
device_typeValues used include firewall or IDS
device_vendorThe vendor name, for example, Microsoft
generatorThe name of the base/incident search that generates the event
serviceThe name of a service
updateThe name of the software update
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.