Hello,
When extracting fields from different sources (syslog, IIS, file, ...), but they have the same semantic meaning (application, host, severity, ...), is it a best practice to extract these fields under the same name? Or is it usefull to distinguish between them?
If i want to know what source the field came from, i can still use the source field itself right?
Thx for your input.
It's actually recommended to use the same field names - have a look at the Common Information Model which defines a nomenclature for how fields should be named. You can use several other fields for identifying where the event came from in the first place, like for instance source and sourcetype.