Hi,
I'm a relative newbie at this stuff so please bear with me if I am asking a stupid question.
I have an index that has inputs from two logfiles in different formats:
Logfile 1:
00:00:01|14|Debug|<Message Text>|
Logfile2:
2014-03-11 00:00:00,085 [alert1] INFO <Message Text>
loglevel is generally assigned correctly for Logfile2, but never for Logfile1, except when INFO, DEBUG, etc are contained in the message text (ie: not the actual log level as listed after the second pipe in the given example above.)
Basically I would like to assign the correct Loglevel to messages from both sourcetypes such that should I query the index for a report against total loglevel messages for a given period, for example, I would actually end up with accurate results.
I'm entirely certain my confusion is simple lack of experience, as I can happily generate simple queries and reports, but trying to align the data as per my requirement above is totally defeating me.
Any suggestions would be greatly appreciated.
... View more