Hello everyone! I just have a brief question regarding the HEC input. Our primary data input is the HEC. For new applications that want to forward through our deployed Heavy Forwarder, we must first configure an token for them, and set a sourcetype.
We're advocating for our applications to send data via a JSON format; however, if I were to select the _json sourcetype, this would not be correct. To provide an example of how their logs would look here's a JSON object:
{
"time": 1426279439, // epoch time
"host": "localhost",
"source": "datasource",
"sourcetype": "txt",
"event": "xx.xxx.xxx.xx /web/link/goes/here error 404"
}
I realize that the "event" attribute can be broken down into more key/value pairs, but most applications that want to integrate with our service may not want to separate out everything from their log in key/value pairs since some applications will not have a clear way of doing that.
If we were to provide additional extractions to the "event", it would modify the **_json** sourcetype (which we wouldn't want). We're assuming the best way around this problem is to duplicate the _json sourcetype and rename it so that we can add additional extractions?
Thanks in advance!
↧