Skip to content

Filter with Fields

Use the Fields panel to discover which fields exist in your current Explore results and to take common actions without manually typing field names into the query.

The Fields panel replaces the old "filters" concept, which was a closed list of predefined fields. Fields is an open list: it surfaces all detected fields from the current results, and lets you favorite the ones you care about most.

The Fields panel showing detected fields, favorites, and value distributions

What a field is

A field is a key found in your logs. Each log event can include many fields, and the Fields panel lists those detected in the results you are currently viewing.

How the Fields panel updates

The Fields panel reflects the current Explore context:

  • Your query
  • Your time range (for example, the last 15 minutes)
  • The results returned for that context

As you change the query or time range, the panel updates to match the current results. It surfaces all detected fields from the current results, and lets you favorite the ones you care about most.

It does not represent every field across all historical logs.

How filtering works

Filtering is synchronized between the Fields panel and the query bar:

  • When you add a field or value from the Fields panel, it is added to the query bar.
  • When you edit the query bar, the Fields panel updates to reflect those selections.

This prevents mismatches where one UI control applies a constraint that the other does not show.

Field search flow

Goal: Allow the user to discover fields and add field-value filters to the query.

Use the following flow to find a field, select a value, and filter the results:

  1. Open the Fields panel.
  2. Search for a specific field by name.
  3. Add the field to the selected area.
  4. Select the field to expand it.
  5. Select one of the field values.
  6. Confirm that the value is added to the query.
  7. Run the query.

As you add or remove filters, the Fields panel and the query bar stay in sync, so you can validate what is applied from either place.

Panel sections

The Fields panel uses a tree structure. Expand any section to browse its fields, and expand a field to see its value distribution and statistics.

The Fields panel is organized into these sections:

Favorites

A personal list of fields you want to keep at the top.

  • Add a field to favorites to pin it for quick access.
  • Favorites support "my fields" workflows, where different users care about different keys.

Metadata

Coralogix internal metadata fields.

These fields align with how metadata is referenced in DataPrime queries (for example, metadata commonly appears under $m).

All fields

All other detected fields from your log data.

These fields align with how log data is referenced in DataPrime queries (for example, log fields commonly appear under $l).

Actions you can take from a field

Use the field actions menu (three dots) to take common actions without copying field names into the query builder.

Field actions menu with options to add as filter, column, or copy path

Add as filter

Add a field-value filter to the query. Removing the filter from either the query bar or the Fields panel clears it in both places.

Add as column

Add the field as a column in the log grid so you can inspect its per-event values.

Copy full path

Copy the full field path (for example, coralogix.metadata.severity) to your clipboard. Use this to paste the field name into queries, scripts, or documentation without manually typing it.

View value distributions

Expand a field in the Fields panel to see its value distribution inline — the count of logs per value within the current result set. The distribution updates automatically as you change the query or filters.

To open a graph or aggregate view for a field, open the more actions menu and select Show graph for key or Group for key.

Show the graph for the key

Select Show the graph for the key to instantly visualize how a field's values are distributed over time. This action is available from two places:

  • The Fields sidebar context menu (three dots on any field)
  • The logs table context menu (right-click any key-value pair in a log entry that contains log data)

Both entry points produce the same graph. Explore generates a time-series bar chart — grouped by the selected field — that shows how each value contributes to the total log volume across the current time range.

Use this to:

  • Quickly assess the distribution of a field without building a full query
  • Spot spikes, drops, or imbalances in specific field values over time
  • Identify which values dominate a field and how their proportions change

The chart appears above the results table, replacing the current visualization. Each bar segment represents a distinct value for the selected field, color-coded in the legend. The legend also displays the total count for each value.

The generated chart is interactive — select any bar segment to drill down into the underlying logs for that value and time interval, or filter the value in or out of your query.

This action is equivalent to adding the field as a Group by with a Count aggregation and visualizing the result as a stacked bar chart.

Add as Grouping

Select Add as Grouping to add the field to the Group by clause in the query builder. The table transforms from individual log rows into aggregated groups, showing each unique value and its count.

This provides a shortcut to group results by a field directly from the Fields panel without opening the Group by dropdown. After grouping, select any group row to open a drilldown panel for focused investigation of that group.

Field statistics

Each field shows the following statistics, calculated from the current result set:

  • Field popularity — the percentage of logs in the current result set that contain this field. For example, if 20 out of 100 logs contain the status field, its popularity is 20%.
  • Data type
  • Number of values
  • Selected values indicator (for example, 2/<total>)

Expand a field to see its value distribution: a breakdown of the count of logs per value within the current result set.

Example for the application field:

  • app1 — 45 logs
  • app2 — 30 logs
  • app3 — 25 logs

Both field popularity and value distribution update dynamically when you change the query or time range.

Sorting behavior

Sort the fields list using the sort menu. Options:

  • A to Z (default) — alphabetical order
  • Highest coverage first — fields that appear in the most logs in the current result set are shown first
  • Lowest coverage first — fields that appear in the fewest logs are shown first

Coverage is based on field popularity: the percentage of logs in the current result set that contain each field.

Notes on scale and performance

Large datasets can contain thousands of fields. Some advanced capabilities (like coverage-based sorting and value frequency stats) require heavier calculations and supporting APIs and will roll out in later phases.

Troubleshooting

If adding a filter returns no results:

  • The filter combination might be too narrow for the current time range.
  • Remove one filter and reapply filters one at a time.

If a field does not appear in the Fields panel:

  • The field might not be present in the current results for the selected time range.
  • Widen the time range or adjust the query to bring relevant logs into the results.

If the Fields panel does not reflect the query you expected:

  • Verify that the value you selected appears in the query bar.
  • Clear and reapply the filter from either the query bar or the Fields panel.

Permissions

The Fields panel honors the same roles and permissions that control access to Explore and the underlying log data.

Need help? Contact Support.
What's new? Find out here.
LLM? Read llms.txt.
Previous Query Builder
Next Tabs, Views, and Queries