This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Overriding log event status

Go to solution
MartyM
Visitor

‎28 Oct 2022 04:32 PM - last edited on ‎02 Nov 2022 08:36 AM by Community Team

I have written a log processing rule to parse a log file.  Some log events have a secondary event log level that can be different from primary log level.  I want to set both the event's loglevel and status to the secondary log level.  When I test the rule it works perfectly, setting both the loglevel and status to "WARNING" using a FIELD_ADD.  However, when that rule is used to ingest the log data both fields are set to "NONE".  Is there something more I need to do?

0 Kudos
Reply
2 REPLIES 2

Go to solution
ChadTurner
DynaMight Legend
DynaMight Legend

‎20 Jan 2023 03:09 PM

@MartyM were you able to get this issue resolved? 

-Chad
0 Kudos
Reply

Go to solution
MartyM
Visitor
In response to ChadTurner

‎23 Jan 2023 02:49 PM

@ChadTurner Yes, I just needed to another command to update the status field.

// Make sure the loglevel matches the event status
| FIELDS_ADD(status:UPPER(loglevel))
Reply
Ask a question

Featured Posts