Does anyone know of a way to create new events from already indexed data? Here is my issue:
1) I am monitoring a directory where random files with random file names are deposited for parsing
2) I need to index the data to figure out the sourcetype and set it
3) Once already indexed (used to determine the sourcetype), I cannot seem to split the event anymore (using line_breaker or anything else)
It would be ideal if I could split the log file into separate events after I index it to determine sourcetype.
↧