Have you ever tried to use a field in vCenter Log Insight only to find it (sometimes) unavailable under the Fields section of the Interactive Analytics page? I would like to talk about why fields are sometimes unavailable and how you can find and/or modify them.
From the Interactive Analytics page, you will notice a fields section to the right of the events that have been ingested by Log Insight.
Fields in Log Insight can be defined in a variety of ways including:
- Statically: built into Log Insight. This would include RFC syslog compliant meta-data like priority, facility, source, hostname, and appname. Static fields do not contain any information to the right of their names. Static fields cannot be changed or deleted.
- Content Pack: included in a content pack. This would typically include vendor/product/application specific fields defined in a content pack. Content pack fields have the name of the content pack in parenthesis to the right of the field name and have an eye, meaning read-only, to the right of the content pack name. Content pack fields cannot be edited, but can be removed by removing the content pack.
- Extracted: created by a user of a Log Insight instance. Extracted fields can be saved privately to a user or publicly to all users of a Log Insight instance. Extracted fields have a pencil, meaning editable, to the right of the field name. Extracted fields can be edited or deleted by the field author or an admin user in the case of shared fields.
- Orphaned (Log Insight 1.0 only): a special case where a saved query contains a field that has since be deleted. Orphaned fields are seen in a green dialog box under the Fields section when a saved query is run that contains such a field. Orphaned fields can be saved back into a Log Insight instance if desired or deleted by deleting any saved queries that rely on the orphaned field.
- Temporary (Log Insight 1.5 and newer): a special case where a saved query contains a field that has since be removed. Temporary fields always have a temporary namespace defined to the right of the field name in parenthesis. Temporary fields are read-only and can only be removed by removing the saved queries that relies on the field.
When you load the Interactive Analytics page, fields will be shown in the Fields section.
By default, the Interactive Analytics page displays 50 events/results for the given query. The fields made available are fields that appear within those 50 events/results. If you change the query (e.g. rerun with a different time range, use a different query), the fields section will update to show only the relevant fields in the first 50 events/results.
If you go to a different page of events/results and new fields become available, they are appended to the list of fields in the Fields section. The Fields section list will remain until a new query is run or more fields become available. Even if you switch back to a previous page that does not have fields in the current page the list of fields provided in the Fields section remains the same.
Here are some commonly asked questions regarding fields in Log Insight:
- How can you edit and/or delete a field if it does not appear under the fields section? To do this, select the menu drop-down button to the right of the Search button and select Manage Extracted Fields. From here, you have access to all non-statically defined fields.
For custom fields, selecting a field displays its definition and allows it to be edited while selecting the red X will allow for it to be deleted. For content packs fields, selecting a field will display its definition in a read-only fashion.
- How can you use a field in a constraint and/or as part of an aggregation if it does not appear in the Fields section?
- In Log Insight 1.0, you must run a query that will return the field desired. A field is a regular expression pattern match for a particular type of event. If you run a query similar to that used to define the field you will be able to find the field.
- In Log Insight 1.5 TP3 (beta), new functionality has been added that allows you to add any defined field as a constraint no matter if the field shows up in the displayed results or not. For more information on this new feature, see: https://sflanders.net/2013/10/14/announcing-log-insight-1-5-beta/.
© 2013, Steve Flanders. All rights reserved.