Fields & discovery
Because HeliosLogs is schema-on-read, there's no field list to declare or maintain — fields are discovered from your data at query time. This page covers how to find what's there and filter by it.
The field panel
The left panel on the search page lists the fields present in your current results. For each field it shows:
- Value breakdown — the top values with counts and a relative bar. Click a value to filter by it (and click again to remove the filter).
- Coverage — the fraction of matching events that contain the field.
- Value kind — string, number, boolean, timestamp, or mixed.
- Cardinality — roughly how many distinct values the field has.
Pin the fields you reference often so they stay at the top, and filter the list by name to find a field quickly. Panels load their value breakdowns on demand and refresh in place when you change the query or time range.
What "groupable" and "interesting" mean
HeliosLogs flags fields to guide analysis:
- Groupable — dense enough to be a useful
bydimension in| stats … by field(reasonable coverage and at least a couple of distinct values). - Interesting — glanceable facets with high coverage and low cardinality (the shape of
severity,status,method); these auto-expand so you see them first.
Field discovery API
The field panel and the AI/MCP tools are backed by GET /api/discover_fields, which samples events for a query and ranks the JSON keys present. Useful parameters:
| Parameter | Notes |
|---|---|
q | A query to scope discovery (same syntax as search). |
env, index | Scope by environment / index. |
start, end | Time bounds. |
sample | Max docs sampled (up to 10,000). |
top | Max fields returned (default 30, up to 100). |
Each returned field includes its coverage, distinct-value count (capped at 1000, with a flag when capped), value kind, a few sample values, and the groupable / interesting flags.
Dynamic path semantics
Worth remembering when querying fields:
- Dotted paths address nested data:
error.type,http.status_code. See nested objects. - Multi-valued fields come from arrays:
items.qty:1matches if any element qualifies. See arrays. - Mixed-type fields (a number in one event, a string in another) are preserved — both are queryable.
The universal-core fields (timestamp, message, raw, source, plus the index) are handled structurally and don't appear in discovery — query them directly.