I have a general question and I am more of a power user than admin level here (but I'm in the process of becoming one).
I went to use the `iplocation` command today from a data source (which we do not have - I suppose I need to define those too) but instead data that is simply tossed into indexes. When I examined firewall data, I noticed that there was no field **clientip** and therefore `iplocation` would not work. I know I can tag the **src_ip** field or something of that nature but what if I wanted to normalize this across any data index?
Furthermore, if I may make another inquiry - being there are no sourcetypes - just data in indexes, how would one go about defining those from the fields that are extracted?
Thank you all!
↧