All,
I have logs coming in from /var/log/messages and /var/log/maillog which have the hostname not the FQDN. There is just too much change control and politics to get them fixed at the source. Looking for a way at index time to just make the correction.
Server names are well formed 12 characters ending in three numbers.
So I need to create a props.conf/transforms.conf on my indexer, just not sure what it will look like.
If host = .*\n\n\n then append mycompany.com
Any ideas what that might look like?
↧