diff --git a/docs/apm/traces/search-query-language-support-for-traces.md b/docs/apm/traces/search-query-language-support-for-traces.md index 61e38fb5e5..49fc89900c 100644 --- a/docs/apm/traces/search-query-language-support-for-traces.md +++ b/docs/apm/traces/search-query-language-support-for-traces.md @@ -35,6 +35,8 @@ To search your tracing data do the following: A Keyword Search Expression defines the scope of data for the query. You need to specify `_index=_trace_spans` in the scope to reference your trace data. +Keyword searching is supported for tracing indexes across all fields, unlike other indexes where only the `_raw` field is searched. + #### _any option In scenarios where users are not familiar with the schema and would like to search across all the fields, `_any` modifier provides a means to search for a specified value from all of the Ingest Time Fields in your data. For example, to search for data with any field that has a value of success you would put `_any=success` in the scope of your query. diff --git a/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo.md b/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo.md index d310be56a5..037a7ad142 100644 --- a/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo.md +++ b/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo.md @@ -162,6 +162,8 @@ You can search Cloud SIEM fields by keyword, for example: `_index=sec_record_authentication kerberos` +Keyword searching is supported for security indexes across all fields, unlike other indexes where only the `_raw` field is searched. + ### Referencing nested JSON fields The **Security Record Details** field contains a JSON object with all of the fields from the underlying record or signal. Some of the data is nested in one or more sub-objects, like the `fields` object for record., shown expanded in the screenshot below. The fields object contains the contents of the [fields](/docs/cse/schema/schema-attributes) field in the underlying record, which is all of the unnormalized data from the original log message before it was normalized to the Cloud SIEM schema.