Greetings,
I introduced a new sourcetype "access_combined_wperformance" but I cannot get it utilized as "access_combined_wcookie" always wins.
Here is my etc/system/local/props.conf:
########## WEBSERVERS ##########
[access_combined_wperformance]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[
########## RULE BASED CONDITIONS ##########
[rule::access_combined_wperformance]
sourcetype = access_combined_wperformance
MORE_THAN_50 = ^\S+ \S+ \S+ \S* ?\[[^\]]+\] "[^"]*" \S+ \S+ \S+ "[^"]*" \d+$
priority = 100
... View more