Adding Fields to the Schema

The Logger schema contains a predefined set of fields. A field-based query can contain only these fields. Additionally, you can index only these fields for faster search operations. For instructions on how to view the default Logger schema fields, see Default Fields.

Prior to Logger 5.2, if your log analysis needs required you to search on a field that is currently not present in the Logger schema, you did not have a way of adding it to the schema yourself. Starting with Logger 5.2, you can add additional fields to the Logger schema. That is, you can insert fields in your Logger schema that are relevant to the events you collect on your Logger, thus enabling you to search and report using these fields. Additionally, you can index the fields you add so that the search and report queries that use these fields run faster. For example, a financial institution might want to add credit card numbers or social security numbers to the schema.

You can add up to 100 custom schema fields on Logger. You can also import custom fields from a peer Logger. However, the total number of added and imported fields cannot exceed the maximum allowed 100 fields.

You can index up to 123 fields on Logger. Therefore, the number of custom schema fields you can index will depend on the number of default fields you currently have indexed on your Logger.

Note: Logger cannot process the additional fields data received in CEF version 0 from a FlexConnector, and assumes a NULL value for such fields when they are present in a CEF version 0 event. As a result, you cannot search on these fields or index them. However, these fields are displayed in the UI display when you select “*” in the field set because the interface displays information contained in the raw event. Therefore, if Logger receives “ad.callnumber=5678”, the Logger UI will display a column, ad.callnumber, with value 5678. However, a search on “5678” will not return this event in the search results.

You need to be in maintenance mode to add or import custom schema fields. The process of adding or importing schema fields involves an add or import operation followed by a save operation. The add or import operation adds the specified fields but does not write them to the Logger schema. You can edit or delete the added or imported fields at this point. Once you save these fields, the fields are written to the schema. From this point on, these fields cannot be edited or deleted. Therefore, carefully review the fields you are adding to the schema before saving them.

Note: For the “Add Fields” operation to show as an option under the System Maintenance operations (Configuration > Advance > Maintenance Operations), you need to belong to the System Admin group (with “Enable Maintenance Mode” privilege enabled) and the Logger Rights group. See Users/Groups for more information on Logger user rights and how to administer them.

You need to specify the following information to add a custom schema field

Additional data field - If the Add prefix ad. and suffix box is not checked, the actual field name stored in Logger schema and the field name entered by the user will be the same. If the Add prefix ad. and suffix box is checked, field name stored in Logger schema as actual field name will be added automatically with prefix and suffix information. CEF events received by Logger must have the corresponding prefix and suffix in the field name, so the event field can be properly indexed and used in field-based search query.
Display name — A meaningful name for the field. This name is displayed as the column header name for the field and is the one you specify in a search query. For example, SocialSecurityNumber. On the other hand , If you are adding a predefined CEF name, an auto suggestion list is displayed in this field.

Type — The type of data this field will contain. The available options are Double, BigInt, DateTime, Text.

The following table describes each data type.

Type	Description
Double	Use to store decimal numbers or fractions. Numbers from `‑1.79769313486231570E+308` through `‑4.94065645841246544E-324` for negative values, and `4.94065645841246544E-324` through `1.79769313486231570E+308` for positive values.
BigInt	Use to store whole numbers. Numbers from `‑2^63` through `2^63‑1`, or ‑9,223,372,036,854,775,808 through 9,223,372,036,854,775,807.
DateTime	Use to store both dates and time or only dates.
Text	Use to store any characters. You can store a maximum of 255 characters per field.

Length — This field is only relevant when the Type specified is Text. This field specifies the maximum number of characters allowed in the value of the field when the data type is Text.
Field name — The field name that you want to add to the Logger schema. Typically, this is an abbreviated version of the Display name. For example, SSN.