Field Interactions

Anywhere in the UI (Results panel, Fields panel, Inspection panel), you can click the icon next to a field to get contextual menus for a series of interactions. Supported interactions depend on the Field Data Types of the selected field. The following image shows them all:

Field Interactions Options

Figure 70. Field Interactions Options


Main interactions are:

  • Copy — copies the value or the field's name, ready for you to paste into the Query editor. It works in any field interaction within the Fields panel and Inspection panel. It also works in the Event list when the data type is JSON or Log line.

    You can copy the field in different formats:

    • Field name copies the field's name. Click inside a nested field in a JSON structure and copy the field name — the whole path will be copied into the field and this corresponds to the field inside LogScale.

    • Value copies the field's value.

    • Value as escaped string escapes the string in LogScale format, ready to paste it directly into any query. This can be useful in case of special characters that need escaping; the same applies for the field name — if they include special characters, they are also going to be escaped.

    • Value as regex copies the field's value as a regular expression.

  • Add as column — directly adds the selected field as a column, the size of the column fitting the name of the field or the content of that field, whichever is largest.

Further interactions are available no matter if the field selected is a value or a name:

  • Aggregate — allows two possible interactions:

    • Find top 10 values

    • Group by value

  • Array — allows filtering based on array values on any position of the array, using the array:contains() query function to query data. It is only shown for JSON arrays. Two interactions are available:

    • Contains value filters events by requiring a string value to be present in the array. For example, given a list of users with different access permissions in the Event List, it is possible to filter for any user who has WRITE permissions, independent on where the WRITE value is in the array. The following query is applied when this interaction is selected:

      logscale
      array:contains("user.permissions[]", value=WRITE)
    • Does not contain value allows for inverted filters, for example, it filters events by requiring a string value that is not present in the array. For example, given a list of users with different access permissions in the Event List, it is possible to filter any user who does not have WRITE permissions. The following query is applied when this interaction is selected:

      logscale
      not array:contains("user.permissions[]", value=WRITE)

      Note

      Because array:contains() checks for a single value at the time, you must run multiple Array interactions, if you wish to filter on multiple values in the array.

  • Filter — used to filter out or keep items, can be done on the value or on the field name. Possible field interactions include:

    • Match value allows including events that match the selected value.

    • Match value (Regex) guides you to how to apply a regex to a field using the literal syntax.

    • Exclude value allows excluding events that have the selected value.

    • Has field allows including events with the selected field.

    • Does not have field allows excluding events without the selected field.

  • Number — only available on a field where a number is detected. The options Max, Min, Avg and Sum apply these aggregates to the field.

    Note

    Numbers that exceed the range of safe integers in Javascript are replaced in JSON by reading the associated LogScale value directly. This is to avoid that incorrect numbers are displayed. These replaced numbers are highlighted in JSON data to indicate that they might be wrong. For more information, see Troubleshooting: UI Warning: The actual value is different from what is displayed.

  • Parse — available on a field that has JSON, URL and Timestamps content, it parses the field as a LogScale field.

    This is possible because interactions are made with fields where LogScale is able to detect what type the field is; for example, some fields are just strings that might be JSON: LogScale detects it as JSON, thus the option ParseJSON will appear in the menu. Similarly, a field that looks like an URL will have the drill-down option ParseURL and it will split out the different parts of the URL.

  • Timechart — possible field interactions include:

    • Use field as series creates a time chart and creates individual series for each value of this field that it finds.

    • Count occurrences gives the number of occurrences for the field.

    • Max value and Percentiles only appear in case of number fields — for example, if it is a number it is possible to get a timeChart() percentile query.

When you hover one of the available options under Timechart, you will get a description of what will happen to the query string. In the following example shown, the option selected is going to append timeChart(#repo) to the query.

Query Update Tooltip

Figure 71. Query Update Tooltip


Tip

Use SHIFT+click to add the suggested option to the query string without running a new search.