Hi,
I extracted from the default source field, in search-time, a new field called 'domain':
| rex field=source "^(\/home)\/(?P<domain>\w+[^\/])"
(Practically it takes the directory which follows /home in a linux path)
Now I'd like to have this field extraction active by default, everytime I search the same sourcetype or index (and when I see the field extracted list from Settings).
I should put it correctly in the props.conf and transform.conf, but do not know exactly the syntax...
Any suggestions?
Thanks,
Skender
... View more