On this page

• Start Free Trial
• $l / $labels: User-managed labels
• $m / $metadata: System metadata
• $p: Query timerange
• $d / $data: User data (actual event content)
• Nested field access

How data is represented in DataPrime

In DataPrime, data is organized using four keypath prefixes: $l (user-defined labels), $m (metadata), $p (timerange metadata) and $d (actual event data). Each prefix creates a namespace within the JSON structure, which separates these different data types and contexts unless explicitly merged by the user.

$l / $labels: User-managed labels

These labels or tags are user-defined and can be used to classify or group events. Below is a breakdown of the fields available in the $l namespace:

Field	Description	Type
applicationname	The name of the application generating the event	string
subsystemname	The specific subsystem of the application	string
category	The event’s category, such as type or function	string
classname	The name of the class where the event occurred	string
computername	The name of the machine or host	string
methodname	The method or function related to the event	string
threadid	The ID of the thread that triggered the event	number
ipaddress	The IP address from where the event originated	string

$m / $metadata: System metadata

This section holds automatically generated metadata that describes the event context. Below are the fields within the $m namespace:

Field	Description	Possible Values	Type
timestamp	The time the event was recorded	-	timestamp
severity	The event’s severity level	Debug, Verbose, Info, Warning, Error, Critical	string
priorityclass	Indicates the event's importance	high, medium, low	string
logid	A unique identifier for the log	-	string

$p: Query timerange

The $p prefix holds the start and end of the current timerange, allowing users to use the time commands to create queries that are relative to, but not constrained by, the query timerange.

Field	Description	Possible Values	Type
timeRange.startTIme	The start of the time range	-	timestamp
timeRange.endTime	The end of the time range	-	timestamp

$d / $data: User data (actual event content)

This section contains the actual data provided by the user, representing the main content of the event.

Note

Since this is the default namespace, you can keep queries concise by omitting the prefix. Throughout this Reference, example queries exclude explicit references to $d for simplicity.

• Purpose: Holds the raw data that makes up the event content.
• Behavior: As the default namespace, $d is optional in queries.
• Example Use Case: User logs or spans

Nested field access

Nested keys may be accessed using dot notation (e.g., k8s.container.name) or map notation (e.g., $d['my_key.with-special-chars']) for fields containing special characters.

Examples:

• Dot Notation: user.name (to access the name field inside user)
• Map Notation: $d['my-special.log-key'] (for fields with special characters in their keys)

Previous DataPrime query structure

Next Sources in DataPrime