Other than Timestamp, which fields should you assign to objects? Below is an example batch that shows a minimalistic approach, using as few fields as possible. Suppose we want to create an object for the following log record:Other than the Timestamp, the rest of the log record is stored in a single field called Message. This allows us to find, for example, all log records that contain the term “info” with a query such as the following:However, this query will return all objects that contain the term info—not INFO-level records. To allow more granular queries, we could separate the log Level and Module info separate fields:To search for INFO level records that were created with a module whose name begins with MBean, we can add a wildcard clause:Note that field names such as Level and Module are case-sensitive whereas text field values are not.Sometimes it makes sense to store both the original, raw log record and separate individual values into their own fields. Then we can use fine-grained queries but also see the full, original log record if needed. For example, here’s a typical Apache log record with both the raw message stored in the message field and many other fields extracted:Notice that message contains fields that are also extracted to other fields such as clientip, request, and verb.