I do use **eventtypes.conf** to extract fields.
Then in **tags.conf** I do set **warning=enable** for some of the fields.
Some is **error** and other is **information**.
In my search, this then shows up as **eventtype=xyz**, **tags=error**
I would like to change this so I get a new field called **severity**.
How do I set the **severity** field based on **eventtype**?
↧