Using diff in a search, the interface shows the following message: Pop from empty string The search is the following: index=main source="/etc/syslog-ng/syslog-ng.conf" | diff Source exists in the correct index, and without the diff it will show raw content revisions of said file. What am I doing wrong? Thanks. ... View more

Hi everyone. Quite new to the product, I am struggling a bit. All my logs are coming through syslog on TCP 514 and I am trying to get chance the sourcetype based on the name of the service logged, for example: 2010-11-03T16:54:26+01:00 canary.xxxxxxx.net named 17889 - - queries: info: client 127.0.0.1#57983: query: allsaintsfan-com-bk.mr.outblaze.com IN A + 2010-11-03T16:54:26+01:00 canary.xxxxxxx.net kernel - - - IPv6 addrconf: prefix with wrong length 56 Can anybody point me to the right direction? So far I have: input.conf [tcp://514] connection_host = dns source = syslog-tcp props.conf [source::syslog-tcp] TRANSFORMS-sourcetype = override-sourcetype transforms.conf [override-sourcetype] DEST_KEY = MetaData:Sourcetype REGEX = \d{4}-?\d{2}-?\d{2}\D?\d{2}:\d{2}:\d{2}[+-]?\d{2}:\d{2}\s\S+\s(\S+) FORMAT = sourcetype::$1 Can anybody figure out what's not working in there? Thank you in advance. ... View more