I would like to add a new field at index-time that will be visible in the list of events. In the same way as Host, source, sourcetype, etc ...
It can't be extracted from the log itself because the information does not appear in the _raw.
Example : [source :: C:\ABC\Log1.log]
Application = App1
[source :: C:\ABC\Log2.log]
Application = App2
[source :: C:\xyz\Log3.log]
Application = App3
The reason is to be able to quickly identify the origin of an event.
Considering that the source path is not enough for us.
I found two temporary solutions
To add the name of the app in from of the source path.
To add a calculated fields in the conf field. EVAL-APPLICATION = "App1"
Is someone have a better solution for me ?
Thanks
... View more