Reserving fields

IBM® Cloud Logs indexes your data in ingestion order. After the maximum number of stored fields is reached, more fields might not be available for querying. With reserved fields, you can explicitly define important fields that you always want to query while still allowing IBM Cloud Logs to dynamically add other fields as they are encountered.

With reserved fields, you can:

Ensure that important fields are always available for queries.
Specify the data type for each field to make storage and querying more efficient.
Define the fields that you need so those fields are available for improved query performance.

When data is ingested, fields are mapped in an index. The automatic mapping dynamically adds fields, but those fields might be associated with an undesired data type if a field of the same name is ingested first. With reserved fields, you predefine fields and their associated data type.

Reserved fields are applied each day at 00:00 UTC when the daily index is created. Reserved fields are included in the daily index limit.

Data types

Each reserved field is associated with a data type.

Field data types
Data type	Description	Example JSON usage
`boolean`	Represents a `true` or `false` value. The `boolean` data type is commonly used for logical checks and conditions.	`true` or `false`
`string`	A sequence of characters. The `string` data type is often used for text identifiers or alphanumeric data. Stored in UTF-8 format.	`"example text"`
`number`	A numeric value. The `number` data type can be either an integer or a floating-point value. The value can be used for calculations or measurements.	`123` or `45.67`

Required permissions

To configure reserved fields, you must have an IAM role with the required actions:

IAM actions required for reserved fields
Action	Description
`logs.reserved-field.read`	View reserved fields.
`logs.reserved-field.manage`	Update, delete or create reserved fields.

Defining reserved fields

You can define reserved fields in two ways:

By selecting fields previously ingested, mapped, and indexed by IBM Cloud Logs.
By manually defining fields and their associated data type.

Log in to your IBM Cloud account.
Access your IBM Cloud Logs instance
Click the Data pipeline icon > Reserved fields.
Click + Add field.
In Field Name, enter a field name.
- If the field is mapped by IBM Cloud Logs, you can select the field and mapping from the list.
You can also click View full list to see all the fields currently mapped. You can limit the list to a selected time period. Up to 7 days of fields that are processed by IBM Cloud Logs are available.
- If the field is not mapped, you can enter a field name and select the Type to be associated with the field.
Click Save.

Adding multiple reserved fields at the same time

If you would like to add multiple reserved fields that are mapped by IBM Cloud Logs at the same time, you can use the Add in bulk option.

Log in to your IBM Cloud account.
Access your IBM Cloud Logs instance
Click the Data pipeline icon > Reserved fields.
Click Add in bulk.
Select the existing fields that you want to add as reserved fields.

You can search for fields as well as limit the search to a specific time period.
Click Add to list to add the selected fields as reserved fields.

Maintaining reserved fields

You can Edit a reserved field and Remove reserved fields you no long need.

For example, you might need to edit a reserved field if you find the data type associated with the field is incorrect.