Skip to content

Update dynamic-parsing.md #4953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jan 14, 2025
Merged

Update dynamic-parsing.md #4953

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
592d6c6
Update dynamic-parsing.md
JV0812 Jan 13, 2025
b06b659
Merge branch 'main' into add-note-about-null-value
JV0812 Jan 13, 2025
028a3cc
Merge branch 'main' into add-note-about-null-value
JV0812 Jan 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions docs/search/get-started-with-search/build-search/dynamic-parsing.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,7 @@ Run Time FERs have a scope, exactly like an Ingest Time FER, that defines which
1. Enter the following options:

* **Rule Name**. Type a name that makes it easy to identify the rule.

* **Applied At**. Select **Run Time**.

* **Scope**. Select **Specific Data** and define the scope of your JSON data. You can define your JSON data source as a [Partition](/docs/manage/partitions) Name(index), sourceCategory, Host Name, Collector Name, or any other [metadata](../search-basics/built-in-metadata.md) that describes your JSON data. Think of the Scope as the first portion of an ad hoc search, before the first pipe (`|`). You will use the Scope to run a search against the rule. You can't use keywords like “info” or “error” in your scope.

Always set up JSON auto extraction (Run Time field extraction) on a specific Partition name (recommended) or a particular Source. Failing to do so might cause the auto parsing logic to run on data sources where it is not applicable and will add additional overhead that might deteriorate the performance of your queries.
Expand Down Expand Up @@ -111,7 +109,9 @@ Search results table:
* The query `_sourceCategory = A or _sourceCategory = B` is applied, only within the log lines that fall within `_sourceCategory = A`, while the remaining log lines are not parsed by this Run Time FER.

1. If a field does not exist in the schema of the log message, null results are displayed for the field (instead of erroring out).

:::note
When a field contains null values, dynamic parsing attempts to interpret those values and assigns them a string data type. This can create issues if you expect different data types for that field. To resolve the issue, use `field=*` in the source expression to eliminate null values.
:::
1. Ingest Time FERs take precedence for field assignments. A Run Time FER will not override a field assignment from an Ingest Time FER.

Conflicts between Ingest and Run Time fields are evaluated by each log line in the following ways:
Expand Down
Loading