Hi,
I need to define a static field on a data source, like ‘datacenter=Paris’. What is the best way to achieve that ?
Thanks
Hi,
I need to define a static field on a data source, like ‘datacenter=Paris’. What is the best way to achieve that ?
Thanks
Hello,
You can do this by using enrichment.
You can add a custom enrichment source which contains the data source and datacenter information. Then this source can be used in enrichment policy with rules like; data source must be present for the enrichment criteria, and data source matches the one in the csv.
This will add additional fields to the logs based on your enrichment source, like “datacenter=Paris”
Hope this answers your question.
Hi Jerome,
Rupsan’s answer is definitely the recommended way to go.
Alternatively, if you find that you are using normalization packages instead of compiled normalizers for the said device, then you can also clone the corresponding vendor normalization packages and edit the signatures to add a new field as datacenter = Paris.
Already have an account? Login
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.