Types of Columns
There are two types of columns: system columns and parsed columns.
The system columns are available by default in all data models. System columns contain event metadata such as event body (sys_body), event time (sys_eventTime), or the device name that produced the event (sys_device).
Parsed columns are specific to data models. They are defined in the data model and their values are parsed from the body of the event.
The following list describes all system-generated columns.
Name | Type | Description |
---|---|---|
sys_body | String | The text of the event |
sys_collectIP | InetAddress | The IP from where the event originated. This supports both IPv4 and IPv6. |
sys_collectTime | Long | The time when the event was ingested
Currently unused. |
sys_collectorDomain | String | Name of the collector domain for this event |
sys_collectorDomainId | long | ID of the collector domain for this event |
sys_concentratorId | String | IP address in IPv4 format, of the LogLogic LMI appliance or group of appliances on which a distributed Advanced Search query is run. |
sys_device | String | Name of the device for this event |
sys_deviceType | String | Name of the device type for this event |
sys_eventKey | String | A unique key that identifies the event in the LogLogic storage |
sys_eventTime | Timestamp | The UTC time of the event in Epoch milliseconds.
For syslog data, sys_eventTime is the time the event was collected. For file log data, sys_eventTime is the original event time. |
sys_filename | String | The file name for event collected from a file |
sys_sourceSubType | String | Sub-classification of the source type
Currently unused. |
sys_sourceType | Integer | ID of the device type |
- sys_collectTime
- sys_collectorDomainId
- sys_concentratorId
- sys_domain
- sys_eventKey
- sys_filename
- sys_sourceSubType
- sys_sourceType