schema

Applies a log schema to convert field names to display names and either select only the fields defined in the schema or reorder them.

Command properties

Syntax

Options

overlay={t|f}

Whether to enable overlay mode. (Default: f)

• t: Reorders only the fields defined in the schema, and also outputs fields not defined in the schema.
• f: Selects and outputs only the fields defined in the schema.

locale=STR

Language to use for field display names. If not specified, the session locale is used.

Target

CODE

Code of the log schema to apply.

Error codes

Parsing errors

Runtime errors

N/A

Description

At execution time, the schema command is converted by the query planner into a combination of rename and fields (or order) commands. It renames each field defined in the schema to its display name.

When overlay=f (the default), only the fields defined in the schema are selected and output. When overlay=t, fields defined in the schema are sorted to the front while fields not defined in the schema are also included in the output.

If the locale option is specified, display names for that language are used. Otherwise, the current session locale setting is followed. If a display name for the requested language is unavailable, the default display name is used.

Examples

1. Apply a schema

   table duration=1h firewall_logs | schema firewall
   

   Applies the firewall schema to the data from the firewall_logs table, converting field names to display names and outputting only the fields defined in the schema.

2. Apply a schema in overlay mode

   table duration=1h firewall_logs | schema overlay=t firewall
   

   Sorts the fields defined in the firewall schema to the front while also including fields not defined in the schema.

3. Apply a schema with a specified locale

   table duration=1h firewall_logs | schema locale=en firewall
   

   Applies the firewall schema and outputs field display names in English.