Question:
I have extracted fields using Field Extraction Rules. Can I use them as search criteria using Live Tail?
Answer:
Sumo Logic attempts to make your incoming data appear in Live Tail as close to real time as possible. In order to do the Live Tail query occurs as one of the first steps as your data is received into the Sumo Logic service. Because Field Extraction Rules require additional processing time to apply and extract the values from your logs this step occurs later in the ingest process. Due to when Field Extraction Rules are applied the fields extracted are not available and cannot be used as search criteria when running a Live Tail query.
Note: If you have overwritten a system metadata field name via a Field Extraction Rule, such as sourceCategory or sourceHost, you will need to use the original metadata value when running a Live Tail query.
Additional Help Articles:
Comments
0 comments
Please sign in to leave a comment.