The Field Summary feature can automatically discover non-CEF fields from a raw event if the Discover Fields is enabled.
By default, the Discover Fields option is disabled (set to No). To enable the Discover Fields option for all searches on your Logger, change the default values to Yes in the Configuration > Search > Search Options > Field Summary Options
However, if you need to use the Discover Fields option occasionally—not for all searches—you can enable this option for one-time use on the user interface page from where you run the search query. To do so, click the Discover Fields checkbox in the search display options before running the query.
Tip: To auto discover fields, the raw event must contain data in the “key=value” format, and none of these characters can be the first character of the “value”: comma, space, tab, and semicolon.
For each “key=value” pair found in a raw event, a new field of the name “key” is created. The Field Summary includes a summary of the values for all the new fields under the Discovered Fields section. The discovered fields are assigned the type “String” by default. The auto-discovery capability works only if at least 2,500 of the first 10,000 matching events contain “key=value” pairs. If this threshold is not met, auto discovery is automatically turned off. However, this threshold does not apply if there are less than 10,000 matching events; in that case, fields are discovered regardless.