Event Fields
In LogScale, you can search either the raw data of events or the fields extracted from the event when the data is parsed.
There are different kinds of fields coming from the events:
Metadata fields using the prefix @ contain metadata about each event extracted during ingestion. All events will have these default fields, for example @id or @timestamp. See Metadata Fields for the complete list of these fields.
Tag fields using the prefix # define how events are physically stored and indexed. See Tag Fields for the list of these fields.
User fields is any field that is not a tag field or metadata field.
Event fields can be viewed and managed from the LogScale User Interface. See Searching Data.
For more information on how to query event fields in LogScale and discover what you can achieve with query writings, see Managing Queries and Common Queries.
Metadata Fields
Each event has some metadata attached to it on ingestion; all metadata fields start with @ to make them easy to identify. All events will contain the following metadata fields by default.
| Metadata Field | Description |
|---|---|
| @rawstring | The original text of the event. As it keeps the original data on ingestion, this field allows you to do free-text searching across all logs and to extract virtual fields in queries. |
| @id | A unique identifier for the event. Can be used to refer to and re-find specific events. |
| @timestamp |
Timestamp in milliseconds since the epoch (1st Jan 1970,
00:00) of the ingested event, for example
2022-11-22 09:50:20.100 if the event has an
identifiable timestamp. Timestamps are in UTC.
|
| @timezone | The timezone the event originated in, if known. This is often set when the event's timestamp is parsed. |
| @ingesttimestamp | The timestamp of when the event was ingested. The value is milliseconds-since-epoch. Timestamps are in UTC. |
| @timestamp.nanos |
Extended precision of timestamp below millisecond. For example,
295000.
Timestamps are in UTC.
|
Tag Fields
Each event has some tagged data attached to it on ingestion; all tag fields start with # to make them easy to identify. All events will contain the following tag fields by default.