Special Logs Fields
Sematext Logs App looks for the following fields in logs and gives them a special treatment:
host is a single-valued field and should contain the ID (typically a hostname) of the device or server sending logs.
source is a single-valued field and should contain the ID or descriptor of where the data is coming from. For example, this could be a file name or even a full path to a filename, or the name of the application or process.
facility is a single-valued field used by syslog to indicate the facility level. Logsene stores the keyword values of these levels (such as user or auth).
severity is a single-valued field and should contain the log level, such as error or info.
syslog-tag is a single-valued field used by syslog to indicate the name and the PID of the application generating the event (for example, httpd: )
tags is a multi-valued array field that can contain zero or more tags. Tags can contain multiple tokens separated by space.
message is a string field that can contain any sort of text (usually the original log line or some other free text)
@timestamp is a date field, on which log retention is based. If it's not present, it will be added automatically when the log event is received by Sematext. See Supported Date Formats.
All of these fields are optional, but their use is strongly encouraged. If found in logs with low-enough cardinality, all distinct values of these fields will be loaded and shown in the UI as filters and thus allowing one to very quickly narrow down the search.