Understanding fields and tags

This topic provides information about fields and tags. You can add fields and tags to your search criteria to narrow down your search results while investigating your log file data. These fields and tags are displayed under the Filters panel on the Search tab.

About fields

When you assign a data pattern to a data collector, the tokens used in the data pattern are extracted as fields and are searchable as name=value pairs. If the data pattern contains the details token, the product looks for the equals sign (=) to use as a delimiter to extract the name=value pairs.

In addition, for every data entry that is indexed, the product assigns certain fields based on the inputs specified at the the time of creating a data collector or by certain default settings. These fields are treated as default fields and are displayed on the Search page, on the Filters panel, under the Fields section. The Filters panel is displayed after you perform a search.

For every field, a count of occurrences is displayed in parentheses () next to the field name. If the number of occurrences is too large, an approximate count is displayed with a plus sign (+). When you expand such a field, the values show the approximate count with an asterisk (*) next to them. The plus sign next to the field name and the asterisk next to the field values indicate that the count for those fields or values is an approximate number, not an exact number. If you select one of the field values to add it to the search criteria and click Search, the accurate count is displayed next to that value.

In addition to the default fields, you can specify additional fields to display under the Fields section for use in further searches. For more information, see Filtering-your-search-results.

You can also search based on certain internal fields.

When you search for name=value pairs, note that the name is limited to the following characters:

• Letters (irrespective of case)
• Numbers (0 to 9)
• Underscore (_)
• Hyphen (-)
• Period (.)

Default fields

The following table provides a list of default fields:

User input	Field name
Name Refers to the name specified to identify the data collector	COLLECTOR_NAME
Server Name Indicates the host name, IP address, or fully qualified domain name of the computer from which the data entry originates. Can be used to locate data originating from a specific host.	HOST
Pattern Refers to the name of the data pattern used for creating the data collector	DATA_PATTERN
Absolute file path retrieved from one or more of the user inputs: File Path for Upload File data collector Script Path for Monitor Script Output over SSH and Monitor-script-output-on-Collection-Agent Directory Path and Filename/Rolloverpattern for the Monitor File over Windows Share and Monitor-file-over-SSH data collectors.	COLLECTOR
Fields extracted for the BMC ProactiveNet Performance Management events as defined by the bppm.reader.index.slotNames property in the custom directory for the Collection Station Warning Note Beginning with version 10.0, BMC ProactiveNet Performance Management is known as BMC TrueSight Infrastructure Management.	mc_host pn_object_id pn_object_class_id mc_parameter severity mc_incident_time mc_arrival_time

Internal fields

The following fields are treated as internal fields:

• details
• SEQUENCE_ID
• _ignore
• utcdiffminutes
• timestamp
• _raw
• RAW_EVENT_DATA

Internal fields are usually not available for searching. But you can use the timestamp field as a part of your search criteria. The timestamp field is added at the time of indexing a data record and can be most useful while using search commands. For example, you can use the timestamp field with the filter search command to display search results matching the filter criteria associated with the field.

About tags

You might have data with similar field values that can be grouped or categorized in a particular way. You can assign tags for such values while creating a data collector. These tags can be added to your search string to help improve your search. For more information, see Filtering-your-search-results.

For every tag, a count of occurrences is displayed in parenthesis () next to the tag name. If the number of occurrences is too large, an approximate count is displayed with a plus sign (+). When you expand such a tag, the values show the approximate count with an asterisk (*) next to them. The plus sign next to the tag name and the asterisk next to the tag values indicate that the count for those tags or values is an approximate number, not an exact number. If you select one of the tag values to add it to the search criteria and click Search, the accurate count is displayed next to that value.

To be able to assign tags while creating a data collector, you must first add them by navigating to Administration > System Settings. For example, if you have a field for the host name of computers that are used at various locations, you might want to assign a tag for the location from which the data is generated. You might also have tags for the department or the operating system from which  the data is generated.