LogScale stores data in physical partitions called Data Sources. Parsers can be configured to assign events to a particular data source based on specific fields — this is called tagging. Tagging is an advanced topic and you should only consider using tags if you need to optimize search speeds. If you create too many different tag combinations, performance will suffer. You can read more about tags and data sources in Understanding LogScale's Data Sources.
Assume you have an Nginx server which is sending access logs to LogScale. You have also defined the two fields method and secret as tagging fields.
Now assume that some URL contains sensitive information and you would like to limit access to them to only a subset of your LogScale users. In this case we will say that any URL that starts with one of:
Should be tagged as secret. Let's write the parser:
// The full accesslog parser has been left out for brevity.
// CASE: Match events with a url field starting /transactions/ or /admin/
url = "/transactions/*" OR "/admin/*"
| secret := true;
// CASE: Match all other events
| secret := false;
We could now create a Views for the users that don't have access rights to look at the data marked as secret=true.
We created a new field as part of the parsing process which was then used to tag the incoming events. Had we not defined secret as a tagging field the view would still work perfectly fine. In fact we would get the exact same results — albeit without the performance enhancement of the tag-based search.