Hope you all have faced this situation.. We got incoming mixed data from a single source (eg source=my_application.log) . This currently is parsed at arrival as `sourcetype=my:application` . But this contains valuable information of `application:audit` and `application:transactions` for example.
Most of the search-time extractions are similar for audit & transactions. But currently I have to copy all of the logic on each sourcetype which is pure duplication of code.
Any ideas/tricks to ensure the search-time extractions done on parent-sourcetype can be inherited to child sourcetypes?
Expecting something like below
[my:application]
# all common extractions here
## Hope to inherit all work done in above sourcetype
[my:application:audit]
# some very specific extractions for audit only
[my:application:transaction]
# some very specific extractions for txns
↧