A fieldset determines the fields that are displayed in the search results for each event that matched a search query. By selecting the fieldset, you select which fields you see in the search results.
The system provides a number of predefined fieldsets. For more information about fieldsets, see Managing Fieldsets.
Note: If you select the All Fields fieldset, only fields available for matched events are displayed in a search results display (or the exported file).
When you use a search operator that defines a new field, such as rex, rename, or eval, a new column for each field is added to the currently selected display. These newly defined fields are displayed by default. The User Defined Fields fieldset enables you to view only the newly-defined fields.
The Raw Event fieldset displays the whole raw syslog event in a column called rawEvent, with the event formatted to fit in the column.
Although the Raw Event field is most applicable for syslog events, you can also display the raw event associated with CEF events in the rawEvent column. To do so, make sure the connector that is sending events to the Logger populates the rawEvent field with the raw event.
Note: To see the raw events in the rawEvent column, enable the Search Option, “Populate rawEvent field for syslog events”. See Global Search Options for more information.
If Raw Event is selected as the only system fieldset in the search, results are displayed. However, these results cannot be exported as Logger generates an empty report.
When exporting search results, Logger discards automatically the raw messages. All other data selected by the user is used to create the export file. Moreover, fieldsets that contains only rawMessages, displays no results.