Some of the logs I'm tracking use source as a fieldname within the log. E.g.:
2011-06-14 17:17:48.028 s=10 source=7592 source_type=2 target=7589 target_type=2
I can probably arrange to have this changed if necessary, but is there any reasonable workaround using field transforms or aliases? I tried adding a simple alias via the manager (source=gsource) but no luck there.
The simplest approach is to create a separate transform and use a different field name.
For example:
#transforms.conf
[extract-gsource]
REGEX=source=(\S+)
FORMAT=gsource::$1
#props.conf
[mysourcetype]
REPORT-gsource = extract-gsource
The simplest approach is to create a separate transform and use a different field name.
For example:
#transforms.conf
[extract-gsource]
REGEX=source=(\S+)
FORMAT=gsource::$1
#props.conf
[mysourcetype]
REPORT-gsource = extract-gsource
Works like a charm -- thanks!