I am trying to extract data from the Host field at search time, using a REPORT-
in props.conf.
The extraction works when I use SOURCE_KEY = ComputerName
, a field in the data that contains the host. But, this is only available in WinEventLog
data, and I want it to apply to all hosts regardless of type of data.
I have tried SOURCE_KEY = MetaData:Host
, but it does not work. What gives?
It seems that MetaData:Host
is only available at index time, for index-time transforms.
Use SOURCE_KEY = host
when using the transform at search time.
It seems that MetaData:Host
is only available at index time, for index-time transforms.
Use SOURCE_KEY = host
when using the transform at search time.