Articles

    Fields

    Every datatype that is assigned to data uses fields to extract values from an event or a line of raw log data. A regular expression pattern or the split function define what values a field may have. A synthetic field is a field that uses the value of an existing field rather than the raw incoming data. When you click on a field you will see the following dialog

    • Function- This is the default analytic used on this field on the search page
    • Visible - If this attribute is enabled, the field will be displayed in the raw events on the Search Page.
    • Summary - Summary statistics are calculated on this field on the Search page at search time
    • synth source (optional) -A synth source is another Field or Synthetic Field
    • synth expression (optional) - An expression can generate a new value or modify the value from a synth source

    Synthetic Fields

    A synthetic field is created by setting a field for the Synth Source and an expression for the Synth Expression. Here's a summary of how a field can be configured

    Synth Expression Synth Source View
    pattern,regexp REQUIRED OPTIONAL
    substring,lastsubstring,split REQUIRED OPTIONAL
    jep,mvel,groovy-script,groovy-geoip OPTIONAL OPTIONAL
    OPTIONAL OPTIONAL heatmap-numeric, heatmap-enum

    The synth expression uses different functions to create values based off other groups in the data type.

    Pattern Expression - This is a regular expression that is applied to the field specified in the synth source field. See a description on the Patterns in Logscape page

    Expression Evaluators - You can also use the jep or mvel expression evaluators too. They have the following syntax.

    jep: memMB / totalMemory * 100
    The mvel syntax is identical to mvel except that mvel supports the concatenation of strings
    mvel: "http://" + url
    Any variables used with mvel or jep must exist first as another field.

    Text Functions -

    • substring - Returns a substring from the start text to the end text.

      substring-match: START,END
      The following text belongs to a cisco ASA log and I want to retrieve the Log Level of the error. This is the text in between the two dashes
      ASA-1-10600
      Use the following substring expression get the error level
      substring-match: -,-

    • lastsubstring - Follows the syntax of the substring function. It returns the last substring in the text. If you had the following url string

      http://logscape.com/news/today.html
      and you wanted to retrieve the last path, you would use the following expression
      lastsubstring: /,/

    • split - Retrieves an item from a csv like value. It has this syntax

      split,DELIM,POS
      If you had this value
      joe:blog:32
      and you wanted to extract the surname blog you would use this expression
      split,:,2
      The delimiter or separator is :and the position is 2

    Views

    Views affect how a field value is displayed. Heatmaps are defined in the field section.
    Heatmap-numeric - The example below applies a heatmap for the values between 1 and 100.

    {"heatmap-numeric":"1..100"}
    When this field is displayed in a table the cell will recieve a colour ranging from a cool to increasing warm colours.

    Heatmap-enum -Text values can also be heatmapped. The example shows a heatmap for the log4j log levels.

    { "heatmap-enum": "DEBUG:white,INFO:#95F7C3,WARN:#F3DA87,ERROR:#EAA261,FATAL:#E03930", }
    The syntax for the labels use this syntax.
    LABEL:COLOR
    LABEL is the text to be coloured and the COLOR can be expressed as a hex value (e.g #E03930" ), a rgb value ( e.g rgb(100,200,123) ) or as hsv