I am trying to find out how to create a custom field that will be available as an index field that I can set as a static value by source type in the prop.conf so that it will be available at search time via the UI . For example:
EXTRACT-appcomp = "weblogic"
EXTRACT-apptier = "application"
EXTRACT-appname = "e-commerce"
This does not seem to be working and I was hoping you could provide some guidance.
Use a TRANSFORMS in props.conf that will call the name of the transformation,
and in transforms.conf, you specify the regex and the value. (it can be a regex always matching)
Is there not a simpler way? It seems to me that if i use the TRANSFORM option then I will have to create a separate TRANSFORM stanza for each of the follow...
I need to add these for numerous instances, apps, components, domains tiers, etc. Creating the TRANSFORM stanzas for each will take a considerable effort. I effectively want the to be applied to any log we capture with the values set by source.
Use Calculated Fields:
[source::/temp/weblogic.log] sourcetype=weblogic-log EVAL-appcomp = "weblogic" EVAL-apptier = "application" EVAL-appname = "e-commerce"