I currently have an existing sourcetype (cisco_ios), extracted from syslog via regex and transforms. Some other transforms split this sourcetype further separate indexes.
According to the readme I need to: "Make sure your Cisco devices by default log to one of the following sourcetypes: cisco:ios OR syslog (A regex match will be performed to rewrite the events to the cisco:ios sourcetype)"
According to that logic I'm assuming that I can simply do this:
[cisco_ios]
rename = cisco:ios
Will my old regexes for indexing and sourcetyping regimes be respected or will they be superceded by the app? I don't want to have to go through and re-configure the app to suit my needs.
... View more