In Sentinel, _data is the default search field. You can customize the set of event fields that are concatenated in the default search field by adding indexedlog.datafield.ids property in the configuration.properties file. This helps you to add or remove the event fields from the default search based on your requirements.
To customize the default search field:
Log in to the Sentinel server as the novell user.
Open the /etc/opt/novell/sentinel/config/configuration.properties file.
Add the indexedlog.datafield.ids property and set it to the required event fields.
For example, indexedlog.datafield.ids=evt,msg,sun,iuid,dun,tuid,sip,sp,dip,dp,rv42,shn,rv35,rv41,dhn,rv45,obsip,sn,obsdom,obssvcname,ttd,ttn,rv36,fn,ei,rt1,rv43,rv40,isvcc,repip.
Restart the Sentinel server.