From 9bae95595aeb5a1cc798f09f9abbb49bbd589294 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Fri, 25 Jul 2025 12:14:47 +0530 Subject: [PATCH 1/3] Update index.md --- .../search-page/field-browser/index.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/search/get-started-with-search/search-page/field-browser/index.md b/docs/search/get-started-with-search/search-page/field-browser/index.md index 8cd2d6afc3..9ed7835549 100644 --- a/docs/search/get-started-with-search/search-page/field-browser/index.md +++ b/docs/search/get-started-with-search/search-page/field-browser/index.md @@ -67,7 +67,15 @@ The Field Browser is limited for aggregate queries in the following ways: * Field counts (item G above) are not displayed for aggregate queries.  * Field counts—If messages returned are less than or equal to 2500 messages, then an exact calculation is shown. If more than 2500 messages are returned, an approximation is shown. * The **Approximate Count** displays the count of the field values for the field. This does not display complete field values count for that field but it's just to calculate average, minimum, maximum, and standard deviation values from the first 100,000 raw messages. The field values will be skipped if the 100,000 raw messages limit is exceeded. - +* You can limit the number of fields you extract. Use the below query to restrict the number of fields for field browser: + ```sql + _sourceCategory="cnapp/palo_alto/cortex_cloud" and _collector="Cribl - Palo Alto Cortex Cloud (Prisma)" _dataTier=infrequent + | json field=_raw "command" as Command + | json field=_raw "image" as Image + | json field=_raw "container" as container + | fields container, Image, Command + ``` + ## Guide contents In this section, we'll introduce the following concepts: From 862944ff565291f5529a51c782d4acfc12b6120a Mon Sep 17 00:00:00 2001 From: "Kim (Sumo Logic)" <56411016+kimsauce@users.noreply.github.com> Date: Mon, 28 Jul 2025 14:26:37 -0400 Subject: [PATCH 2/3] Update docs/search/get-started-with-search/search-page/field-browser/index.md --- .../search-page/field-browser/index.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/docs/search/get-started-with-search/search-page/field-browser/index.md b/docs/search/get-started-with-search/search-page/field-browser/index.md index 9ed7835549..a6ed0985e8 100644 --- a/docs/search/get-started-with-search/search-page/field-browser/index.md +++ b/docs/search/get-started-with-search/search-page/field-browser/index.md @@ -68,13 +68,7 @@ The Field Browser is limited for aggregate queries in the following ways: * Field counts—If messages returned are less than or equal to 2500 messages, then an exact calculation is shown. If more than 2500 messages are returned, an approximation is shown. * The **Approximate Count** displays the count of the field values for the field. This does not display complete field values count for that field but it's just to calculate average, minimum, maximum, and standard deviation values from the first 100,000 raw messages. The field values will be skipped if the 100,000 raw messages limit is exceeded. * You can limit the number of fields you extract. Use the below query to restrict the number of fields for field browser: - ```sql - _sourceCategory="cnapp/palo_alto/cortex_cloud" and _collector="Cribl - Palo Alto Cortex Cloud (Prisma)" _dataTier=infrequent - | json field=_raw "command" as Command - | json field=_raw "image" as Image - | json field=_raw "container" as container - | fields container, Image, Command - ``` +* The system limits the number of fields extracted for display in the field browser. Use the [`fields` Operator](/docs/search/search-query-language/search-operators/fields) to control which exact fields are retrieved. ## Guide contents From 80ef92c6287d086b5193c0c070be9dfbec5d045b Mon Sep 17 00:00:00 2001 From: "Kim (Sumo Logic)" <56411016+kimsauce@users.noreply.github.com> Date: Mon, 28 Jul 2025 14:26:59 -0400 Subject: [PATCH 3/3] Update docs/search/get-started-with-search/search-page/field-browser/index.md --- .../get-started-with-search/search-page/field-browser/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/search/get-started-with-search/search-page/field-browser/index.md b/docs/search/get-started-with-search/search-page/field-browser/index.md index a6ed0985e8..050c75319f 100644 --- a/docs/search/get-started-with-search/search-page/field-browser/index.md +++ b/docs/search/get-started-with-search/search-page/field-browser/index.md @@ -67,7 +67,6 @@ The Field Browser is limited for aggregate queries in the following ways: * Field counts (item G above) are not displayed for aggregate queries.  * Field counts—If messages returned are less than or equal to 2500 messages, then an exact calculation is shown. If more than 2500 messages are returned, an approximation is shown. * The **Approximate Count** displays the count of the field values for the field. This does not display complete field values count for that field but it's just to calculate average, minimum, maximum, and standard deviation values from the first 100,000 raw messages. The field values will be skipped if the 100,000 raw messages limit is exceeded. -* You can limit the number of fields you extract. Use the below query to restrict the number of fields for field browser: * The system limits the number of fields extracted for display in the field browser. Use the [`fields` Operator](/docs/search/search-query-language/search-operators/fields) to control which exact fields are retrieved. ## Guide contents