I'm a trying to index multi line key value (KV) data from a TCP input. I have full control of the input so I can modify it any way, this is hove it looks at the moment:
Id = '1657'
Timestamp = '2011-03-14 13:28:01'
ApplicationId = 'My Test Application'
Severity = 'INFO'
User = 'George'
UserContext = 'Server5\George'
Message = 'File: C:\temp\MyFile.txt Deleted'
I want logs to be indexed and searchable by the keys above. At the moment the source type is set to 'tcp' and I can't filter searches on e.g. 'Message'.
Is there a existing source type that I can use? Or How do a create a new one and/or set up field extractions etc?
//A novice
First, I would suggest changing the log format slightly to:
2011-03-14 13:28:00
Id="1657"
ApplicationId="My Test Application"
Severity="INFO"
User="George"
UserContext="Server5\George"
Message="File: C:\temp\MyFile.txt Deleted"
...
...
secondly, to specify a sourcetype for your data you can then edit inputs.conf to:
inputs.conf
[tcp://12345]
sourcetype = SomeName