The following identifies the default field order for filters migrated from an earlier version of the log forwarding application. For log filters created after that migration, you specify the field order when you create a log filter by specifying the columns you want to receive.

The fields are identified in the default order that they appear in each log line.

HEADER, log_time, log_source_id, log_type.​value, sub_type.​value, config_version.​value, time_generated, source_ip.​value, dest_ip.​value, nat_source.​value, nat_dest.​value, rule_matched, source_user, dest_user, app, vsys, from_zone, to_zone, inbound_if.​value, outbound_if.​value, log_set, EMPTY, session_id, count_of_repeats, source_port, dest_port, nat_source_port, nat_dest_port, flags, protocol.​value, action.​value, file_name, file_id, url_category.​value, vendor_severity.​value, direction_of_attack.​value, sequence_no, action_flags, source_location, dest_location, EMPTY, EMPTY, pcap_id, file_sha_256, EMPTY, EMPTY, EMPTY, EMPTY, EMPTY, EMPTY, EMPTY, EMPTY, EMPTY, report_id, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, log_source_name, EMPTY, source_uuid, dest_uuid, EMPTY, tunnelid_imsi, monitor_tag_imei, parent_session_id, parent_start_time, tunnel.​value, EMPTY, content_version, sig_flags, EMPTY, EMPTY, EMPTY, EMPTY, rule_matched_uuid, http2_connection, dynusergroup_name, xff_ip.​value, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_osfamily, source_device_osversion, source_device_host, source_device_mac, dest_device_category, dest_device_profile, dest_device_model, dest_device_vendor, dest_device_osfamily, dest_device_osversion, dest_device_host, dest_device_mac, container_id, pod_namespace, pod_name, source_edl, dest_edl, gp_host_id, endpoint_serial_number, domain_edl, source_dynamic_address_group, dest_dynamic_address_group, partial_hash, time_generated_high_res, reason_data_filtering, justification, nssai_network_slice_type.​value