Thanks for your answer, I'm near to resolve this, but I need help one more time.
My logs are like this :
Jan 3 15:32:52 10.0.1.254 date=2013-01-03 time=15:03:19 devname=FGT60B-CFP device_id=FGT60B3908672004
Jan 3 15:38:21 10.0.1.254 date=2013-01-03 time=15:36:43 devname=FGT60B-EDC device_id=FGT60B3908668256
As you can see, there is a special SN for each hardware and I need to put it in index like "banana" and "apple" (common names).
Is it possible to add a condition in the regex or anything else that means :
FGT60B3908672004 => banana
FGT60B3908668256 => apple
all logs have the same source and sourcetype, and I can't take the host value to dispatch via the props.conf.
... View more