Sumo Logic has several metadata fields that are automatically tagged to ingested data. These metadata fields are referenced by the service in many ways, such as the user interface when managing Collection, and can be referenced in search queries.
Built-in metadata fields
You can run queries using any of the following built-in metadata fields:
|The name of the Collector (set when the Collector was installed) that received the log message.|
|A sequence number (per Source) added by the Collector when the message was received.|
|The parsed timestamp by the Collector from the log message in milliseconds. If the message does not have a timestamp, messageTime uses the receiptTime.|
|The raw log message.|
|The time the Collector received the message in milliseconds.|
|The size of the log message in bytes.|
|The name of the Source, determined by the name you entered when you configured the Source.|
|The category of the Source that collected the log message. This can be a maximum of 1,024 characters.|
|The host name of the Source. For local Sources the name of the Source is set when you configure the Source. For remote Collectors, this field uses the remote host's name. The |
|The name of the log file, determined by the path you entered when you configured the Source.|
|The pattern used for parsing the timestamp. See here for more details.|
Searching metadata fields follow the same rules as Keyword Search Expressions.
To run a search using metadata fields:
As part of the keyword expression before the first pipe, enter the metadata field name.
Add an equals sign (
Add the metadata value you want to search against. A few tips:
- Add wildcards at the front and back of any partial term or string to capture the most results.
- If your metadata value contains spaces wrap it in quotes.
- Quotes and wildcards can't be used together.
- Metadata tags are case-insensitive when searching.
This table shows some examples and a description of each metadata type.
|Returns results from the named Collector only. Entered when a Collector is installed and activated.|
|Returns results from the named Source only. Entered when a Source is configured.|
|Returns results from one or more Sources depending on whether the tag was applied to a single Source or a series of Sources. Entered when a Source is configured.|
|Usually returns results from one Source, unless a value is entered at the Collector level for a Collector with more than one Source.|
If the field is left blank when a Source is configured, the value for Source Host is taken from the host system value. A custom value can be entered at the Source or Collector configuration. Metadata values entered at Source level override Collector values.
|Returns results from one or more Source paths. Entered when a Source is configured. Note that the metadata field |
In the Messages tab, each message displays its metadata tags:
Search different values of a metadata field in the same query
To search more than one value of the same metadata field, you can use the conditional operator OR. Metadata fields follow the same rules as Keyword Search Expressions.
(_sourceCategory=*apache* or _sourceCategory="Security Logs")