SumoLogic · jpipkin1 · Oct 2, 2025 · Oct 2, 2025
@@ -35,6 +35,8 @@ To search your tracing data do the following:
 
 A Keyword Search Expression defines the scope of data for the query. You need to specify `_index=_trace_spans` in the scope to reference your trace data.
 
+Keyword searching is supported for tracing indexes across all fields, unlike other indexes where only the `_raw` field is searched.
+
 #### _any option
 
 In scenarios where users are not familiar with the schema and would like to search across all the fields, `_any` modifier provides a means to search for a specified value from all of the Ingest Time Fields in your data. For example, to search for data with any field that has a value of success you would put `_any=success` in the scope of your query.

@@ -162,6 +162,8 @@ You can search Cloud SIEM fields by keyword, for example:
 
 `_index=sec_record_authentication kerberos`
 
+Keyword searching is supported for security indexes across all fields, unlike other indexes where only the `_raw` field is searched.
+
 ### Referencing nested JSON fields
 
 The **Security Record Details** field contains a JSON object with all of the fields from the underlying record or signal. Some of the data is nested in one or more sub-objects, like the `fields` object for record., shown expanded in the screenshot below. The fields object contains the contents of the [fields](/docs/cse/schema/schema-attributes) field in the underlying record, which is all of the unnormalized data from the original log message before it was normalized to the Cloud SIEM schema.