Allow to perform parsing and custom fields extraction
i.e. many logs have a single line of 'message' or 'description' - you want to parse that out into discrete parts that you can perform aggregations (group by) against.
Custom field extraction is live!
Read on the blog post http://blogs.technet.com/b/momteam/archive/2015/08/18/create-your-own-fields-in-oms-with-custom-fields.aspx , try it yourself, and file new feedback as necessary!
Thuan Soldier commented
Any support for Log Query ?
Intekhab A Sheikh commented
Extraction from RawData field is not useful. It is not giving me right result if I want to extract the data in 5 fields which are basically a comma separated string
Stijn Soens commented
I want to get the hosts which I perform Veeam backup on so I'm searching Events with Source=="Veeam MP" and EventID=="150" and next try to filter the RenderedDescription which normally is something like VM SRV-HST-01 task has finished with 'Success' state. So I highlight the machine name, right click and extract to a field BackupHost_CP but when I want to create it, the interface (Chrome and Edge) just keeps mentioning it's learning and I cannot interact with the search samples provided. Not sure what's wrong here...
Jason van der Paal commented
It would be great if we could specify a delimiter in the custom data and split it into custom fields.
The current method of creating custom fields is very "hit and miss"
We see the graphical highlighting mainly as a convenience; we have some pretty reliable prototypes we have been evaluating, but we would still allow ability to manually edit/override the expressions for maximum control by power users! Good feedback, thanks!
This is a major piece for enabling 'custom datasources'. We would like to enable this down the road but it first requires some platform work to enable per-tenant schema.
Point and click is nice but we really need to have full regex capability for this to be useful as opposed to a point and click trying to generate regex on the backend and possibly not getting it right.
Trey, if the field is full-text indexed, you should be able to search for keywords that you see in the results.
queries such as "error" or "timeout" are perfectly valid.
But it depends on how each field has been defined (i.e. if it gets tokenized in 'words' or if it is treated as a single unique string for faceting), so there might be some exceptions (and/or bugs), let us know (maybe on a separate idea or in mail) which specific word you see and you are trying to search for, and doesn't come up? We need to look on a case-by-case basis. i.e. see this other bug where the field we need is not actually indexed - http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6519326-add-an-age-threshold-for-missing-updates
This idea tracked here is more about defining rules for PARSING new types of logs, or for breaking down long description fields in discrete parts, so then you would be able to use MEASURE and group by this new 'field'. Basically this idea is about letting you extract your own fields.
Trey Morgan commented
I want to be able to query against any of the words displayed in the search results. If I see the key word in the results I should be able to search for it across all my logs and build a table or graph with the data.
for me - I want to extract specific values from IIS logs' querystring - so I need to split it by
"&" and "="