It is also possible to create fields simply to tag events that would be difficult to search for otherwise. For example, if we wanted to find all events that were slow, we could search for:
sourcetype=myapp req_time>999
Without an indexed field, this query would require parsing every event that matches sourcetype=myapp over the time that we are interested in. The query will then discard all events whose req_time value was 999 or less.
If we know ahead of time that a value of req_time>999 is bad, and we can come up with a regular expression to specify what bad is, we can tag these events for quicker retrieval. Say we have this transforms.conf stanza:
[myapp_slow]
REGEX = req_time=d{4,}
FORMAT = slow_request::1
WRITE_META = True
This REGEX will match any event containing req_time= followed by four or more digits.
After adding slow_request to fields.conf (see the fields.conf section), we can search for slow_request=1 and find all slow events very efficiently. This will not apply to events that were indexed before this transform existed. If the events that are slow are uncommon, this query will be much faster.