Skip to main content

fields operator

The fields operator allows you to specify which fields to display and their order in the results of a query. Use a fields operator to reduce the "clutter" of a search output that contains fields that aren't completely relevant to your query.

There are two fields operator modes:

  • Allowlist - only the fields included are kept in the search output.
  • Denylist - all the fields except those you specify to be excluded are in the search output.

To specify the order of returned fields you must use the fields operator last, at the end of your query.

note

Fields are not returned in the specified order in Search Job API and Webhook results.

Allowlist

For allowlist mode, only fields you specify for inclusion are kept in the search output. For example, to strip out every field except for method and status_code, your query would be:

_sourceCategory=Apache/Access 
| parse " \"* " as method
| parse "\" * " as status_code
| fields method, status_code

The search results would look like this:

Fields

Allowlist queries allow all system internal fields (fields prefixed with an underscore "_") to pass.

Denylist

For denylist mode, all fields except for those you explicitly remove remain in the search output. Denylist mode is indicated with a minus sign "-" in a query. For example, to only remove the log_level, module, and process_id fields, your query would be:

_sourceCategory=*apache* 
| fields - log_level, module, process_id

Denylist queries will also remove internal fields (fields prefixed with an underscore "_") when specified. For example:

_sourceCategory=*apache* 
| count by size
| fields - _count

Make sure that your query does not repeat or duplicate individual fields, or your search query will fail. 

Non-aggregate vs. Aggregate Query Results

The fields displayed in query results are different for non-aggregate and aggregate queries.

By default, all non-aggregate query results, which appear in the Messages tab, include the # (results list number), Time, and Message field, along with any other fields you have allowlisted in your query.

Aggregate query results, which appear in the Aggregates tab, include only the fields that you have specified in your query.

For example, for this non-aggregate query:

_sourceCategory=Apache/Access
| parse " \"* " as method
| parse "\" * " as status_code
| fields method, status_code

The search results would look like this:

Fields_nonaggregate

While the same query with an added count by statement to make it an aggregate query:

_sourceCategory=Apache/Access
| parse " \"* " as method
| parse "\" * " as status_code
| count by method, status_code
| fields status_code, method

This would provide the following results:

Use a Field Name that Contains Spaces or Special Characters

The Sumo Logic search language allows a-zA-Z\ as valid characters for identifiers for fields. In cases where a field name contains other characters you need to escape the field name by using the % character and wrapping the field name in double quotes. 

Syntax: %"field_name"

Here's an example:

| "Robot" as %"learning robot .33."

This creates a field named "learning robot .33." with the value "Robot".

Ordering fields

By default, the fields in non-aggregated results are ordered alphabetically. You can specify a different order by using the fields operator.

For example, if you used:

| fields status_code, method

Sumo displays the status_code field first, then the method field second.

In an aggregate result, field and column order follows the requested order of the query.

For example, if you used:

| count by status_code, method

Sumo displays the status_code field first, and the method field second.