Field Interactions

Anywhere in the User Interface (Event List, Fields Panel, Inspection Panel), you can click the three-dot menu icon (⋮) on a field to get contextual menus that offer a series of interactions. What interactions are supported depend on the Field Data Types of the field you click. The image below shows them all:

Field Interactions Drilldowns

Figure 59. Field Interactions Drilldowns


Main interactions are:

  • Copy — copies the value or the field's name, ready for you to paste it in the Search box. It works in any field interaction within the Fields Panel and Inspection Panel. It also works in the Event List when the data type is JSON or Log line.

    You can copy the field in different formats:

    • Field name copies the field's name. Click inside a nested field in a JSON structure and copy the field name — it'll copy the whole path into the field and this corresponds to the field inside LogScale.

    • Value copies the field's value.

    • Value as escaped string escapes the string in LogScale format, ready to paste it directly into any query. This can be useful in case of special characters that need escaping; the same applies for the field name — if they include special characters, they are also going to be escaped.

    • Value as regex copies the field's value as a regular expression.

  • Add as column — directly adds the selected field as a column, the size of the column fitting the name of the field or the content of that field, whichever is largest.

Further interactions are available no matter if the field selected is a value or a name:

  • Aggregate — allows two possible interactions:

    • Find top 10 values

    • Group by value

  • Array — allows filtering based on array values on any position of the array, using the array:contains() query function to query data. It is only shown for JSON arrays. Two interactions are available:

    • Contains value filters events by requiring a string value to be present in the array. For example, given a list of users with different access permissions in the Event List, I can filter for any user who has WRITE permissions, independent on where the WRITE value is in the array. The following query is applied when this interaction is selected:

      logscale
      array:contains("user.permissions[]", value=WRITE)

    • Does not contain value allows for inverted filters i.e. it filters events by requiring a string value that is not present in the array. For example, given a list of users with different access permissions in the Event List, I want to filter any user who doesn't have WRITE permissions. The following query is applied when this interaction is selected:

      logscale
      not array:contains("user.permissions[]", value=WRITE)

      Note

      Because array:contains() checks for a single value at the time, you need to run multiple Array interactions if you wish to filter on multiple values in the array.

  • Filter — used to filter out or keep items, can be done on the value or on the field name. Possible field interactions include:

    • Match value allows including events that match the selected value.

    • Match value (Regex) guides you to how to apply a regex to a field using the literal syntax.

    • Exclude value allows excluding events that have the selected value.

    • Has field and Does not have field allows including/excluding events with/without the selected field.

  • Number — only available on a field where a number is detected. The drill-down options Max, Min, Avg and Sum apply these aggregates to the field.

    Note

    Numbers that exceed the range of safe integers in Javascript are replaced in JSON by reading the associated LogScale value directly. This is to avoid that incorrect numbers are displayed. These replaced numbers are highlighted in JSON data to indicate that they might be wrong.

  • Parse — available on a field that has JSON, URL and Timestamps content, it parses the field as a LogScale field.

    This is possible because interactions are made with fields where LogScale is able to detect what type the field is; for example, some fields are just strings that might be JSON: LogScale detects it as JSON, thus the option ParseJSON will appear in the menu. Similarly, a field that looks like an URL will have the drill-down option ParseURL and it will split out the different parts of the URL.

  • Timechart — possible field interactions include:

    • Use field as series creates a time chart and creates individual series for each value of this field that it finds.

    • Count occurrences gives the number of occurrences for the field.

    • Max value and Percentiles only appear in case of number fields — for example, if it's a number we can get a timeChart() percentile query.

When you hover one of the available drill-downs, you will get a description of what will happen to your query string. In the example shown here below, the drill-down selected is going to append timeChart(#repo) to your query:

Query Update Tooltip

Figure 60. Query Update Tooltip


Tip

Use SHIFT+click to add the suggested option to the query string without running a new search.