I have a dedicated index for syslogs that I would like to add a 'static field' to:
MonFunc=sysmsgs ### Add to all events in this index
I'm trying to merge this data with related info in another logging index (which has a field extract for various function errors, generating the MonFunc). But, doing an aggregate table-based summary (from all indexes), grouped by MonFunc, has all the syslogs showing up as NULL.
I know of one possible workaround (our monitor system has its own filter and log, adding its own msg before the actual syslog), but would prefer a 'simpler' solution than generating a custom syslog extractor. It would also end up bypassing other data that may be useful long-term, which I'm trying to avoid.
... View more