Reserved fields - Simple Log Service - Alibaba Cloud Documentation Center

When you collect logs to Simple Log Service or ship logs to other cloud services , Simple Log Service adds information such as log sources and timestamps to logs in the Key:Value pair format. The fields that include the preceding information are reserved fields of Simple Log Service. This topic describes the reserved fields of Simple Log Service.

Important

When you call API operations to write data or create Logtail configurations, we recommend that you do not use the names of the reserved fields as field names in the operations. Otherwise, issues such as duplicate field names and inaccurate queries may occur.
Data shipping tasks of the old version do not support the fields that have the __tag__ prefix.
If your Logstore uses the pay-by-ingested-data billing mode, you are not charged for the fields that you add to logs. For more information, see Pay-by-ingested-data.
If your Logstore uses the pay-by-feature billing mode, you are charged for the fields that you add to logs. If you create indexes for the fields, you are charged for index traffic and log storage. For more information, see Pay-by-feature.

Reserved field	Data format	Index and log analysis configuration	Description
`__time__`	The value is an integer that represents a UNIX timestamp.	Index configuration: The `__time__` field is specified by using the from and to parameters in API operations. You do not need to create an index for the __time__ field. Log analysis configuration: By default, if you turn on Enable Analytics for any field, the log analysis feature is enabled for the `__time__` field.	The time when a log is written to a Logstore. You can use this field to ship, query, and analyze logs.
`__source__`	The value is a string.	Index configuration: By default, if you enable the indexing feature, Simple Log Service creates an index for the `__source__` field. The index is of the text type. No delimiter is specified for the index. To query logs based on the index, you can enter `source:127.0.0.1` or `__source__:127.0.0.1`. Log analysis configuration: By default, if you turn on Enable Analytics for any field, the log analysis feature is enabled for the `__source__` field.	The machine from which logs are collected. You can use this field to ship, query, analyze, and consume logs.
`__topic__`	The value is a string.	Index configuration: By default, if you enable the indexing feature, Simple Log Service creates an index for the `__topic__` field. The index is of the text type. No delimiter is specified for the index. To query logs based on the index, you can enter `__topic__:XXX`. Log analysis configuration: By default, if you turn on Enable Analytics for any field, the log analysis feature is enabled for the `__topic__` field.	The topic of a log. If you specify a topic for a log, Simple Log Service adds a topic field to the log. The key of the field is `__topic__`, and the value of the field is the topic content. You can use this field to ship, query, analyze, and consume logs. For more information, see Log topics.
`_extract_others_`	The value is a string and can be deserialized into a JSON map.	This field does not exist in logs. You do not need to create an index for this field.	This field is equivalent to the `__extract_others__` field. We recommend that you use the `__extract_others__` field.
`__tag__:__client_ip__`	The value is a string.	Index configuration: By default, if you enable the indexing feature, Simple Log Service creates an index for the tag field. The index is of the text type. No delimiter is specified for the index. Exact match and fuzzy match are supported for log queries. Log analysis configuration: By default, the log analysis feature is disabled for the __tag__:__client_ip__ field. To enable the log analysis feature for the `__tag__:__client_ip__` field, you must create an index for the field and turn on Enable Analytics for the field.	The public IP address of the machine from which logs are collected. This field is a system tag. If you enable the public IP address recording feature, this field is added to each raw log when Simple Log Service receives logs. You can use this field to query, analyze, and consume logs. When you specify this field in an SQL statement, you must enclose this field in double quotation marks (""). For more information, see Log and Manage a Logstore.
`__tag__:__receive_time__`	The value is a string and can be converted into an integer that represents a UNIX timestamp.	Index configuration: By default, if you enable the indexing feature, Simple Log Service creates an index for the tag field. The index is of the text type. No delimiter is specified for the index. Exact match and fuzzy match are supported for log queries. Log analysis configuration: By default, the log analysis feature is disabled for the __tag__:__receive_time__ field. To enable the log analysis feature for the `__tag__:__receive_time__` field, you must create an index for the field and turn on Enable Analytics for the field.	The time when Simple Log Service receives a log. This field is a system tag. If you enable the public IP address recording feature, this field is added to each raw log when Simple Log Service receives logs. You can use this field to query, analyze, and consume logs. For more information, see Log and Manage a Logstore.
`__tag__:__path__`	The value is a string.	Index configuration: By default, if you enable the indexing feature, Simple Log Service creates an index for the `__tag__:__path__` field. The index is of the text type. No delimiter is specified for the index. To query logs based on the index, you can enter `__tag__:__path__:XXX`. Log analysis configuration: By default, the log analysis feature is disabled for the __tag__:__path__ field. To enable the log analysis feature for the `__tag__:__path__` field, you must create an index for the field and turn on Enable Analytics for the field.	The path to the log file from which logs are collected. Logtail automatically adds this field to the collected logs. You can use this field to query, analyze, and consume logs. When you specify this field in an SQL statement, you must enclose this field in double quotation marks ("").
`__tag__:__hostname__`	The value is a string.	Index configuration: By default, if you enable the indexing feature, Simple Log Service creates an index for the `__tag__:__hostname__` field. The index is of the text type. No delimiter is specified for the index. To query logs based on the index, you can enter `__tag__:__hostname__:XXX`. Log analysis configuration: By default, the log analysis feature is disabled for the __tag__:__hostname__ field. To enable the log analysis feature for the `__tag__:__hostname__` field, you must create an index for the field and turn on Enable Analytics for the field.	The hostname of the machine from which Logtail collects logs. Logtail automatically adds this field to logs. You can use this field to query, analyze, and consume logs. When you specify this field in an SQL statement, you must enclose this field in double quotation marks ("").
`__raw_log__`	The value is a string.	You must create and configure an index of the text type for this field and enable the log analysis feature based on your business requirements.	The raw log that fails to be parsed. If you turn off Drop Failed to Parse Logs, Logtail uploads raw logs that fail to be parsed. The key of this field is `__raw_log__`, and the value of this field is the log content. You can use this field to ship, query, analyze, and consume logs. For more information, see Collect text logs from servers.
`__raw__`	The value is a string.	You must create and configure an index of the text type for this field and enable the log analysis feature based on your business requirements.	The raw log that is parsed. If you turn on Upload Raw Log, Logtail uploads the raw logs as the `__raw__` field together with the parsed logs. You can use this field in log audit and compliance check scenarios. You can use this field to ship, query, analyze, and consume logs. For more information, see Collect text logs from servers.