FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Overriding log event status

Go to solution
MartyM
Visitor

‎28 Oct 2022 08:32 AM - last edited on ‎02 Nov 2022 01:36 AM by Community Team

I have written a log processing rule to parse a log file.  Some log events have a secondary event log level that can be different from primary log level.  I want to set both the event's loglevel and status to the secondary log level.  When I test the rule it works perfectly, setting both the loglevel and status to "WARNING" using a FIELD_ADD.  However, when that rule is used to ingest the log data both fields are set to "NONE".  Is there something more I need to do?

Labels:
0 Kudos
Reply
2 REPLIES 2

Go to solution
ChadTurner
DynaMight Legend
DynaMight Legend

‎20 Jan 2023 07:09 AM

@MartyM were you able to get this issue resolved? 

-Chad
0 Kudos
Reply

Go to solution
MartyM
Visitor
In response to ChadTurner

‎23 Jan 2023 06:49 AM

@ChadTurner Yes, I just needed to another command to update the status field.

// Make sure the loglevel matches the event status
| FIELDS_ADD(status:UPPER(loglevel))
Reply
Ask a question