Databases Reference
In-Depth Information
TZ = MST
BREAK_ONLY_BEFORE_DATE = True
TRANSFORMS-b = from_source
[host::*nyc*]
TZ = EDT
BREAK_ONLY_BEFORE_DATE = False
TRANSFORMS-c = from_host
The attributes applied to our event would therefore be:
TZ = MST
BREAK_ONLY_BEFORE_DATE = True
TRANSFORMS-a = from_sourcetype
TRANSFORMS-b = from_source
TRANSFORMS-c = from_host
Priorities inside a type
If there are multiple
source
or
host
stanzas that match a given event, the order
in which settings are applied also comes into play. A stanza with a pattern has a
priority of
0
, while an exact stanza has a priority of
100
. Higher priorities win. For
instance, say we have the following stanza:
[source::/logs/abc/def/gh.log]
TZ = UTC
[source::/logs/.../*.log]
TZ = CDT
Our
TZ
value will be
UTC
since the exact match of
source::/logs/abc/def/gh.log
has a higher priority.
When priorities are identical, stanzas are applied by ASCII order. For instance, say
we have this configuration snippet:
[source::/logs/abc/.../*.log]
TZ = MST
[source::/logs/.../*.log]
TZ = CDT
The attribute
TZ=CDT
would win because
/logs/.../*.log
is first in ASCII order.
This may seem counterintuitive since
/logs/abc/.../*.log
is arguably a better
match. The logic for determining what makes a better match, however, can quickly
become fantastically complex, so ASCII order is a reasonable approach.
You can also set your own value of
priority
, but luckily, it is rarely needed.
Search WWH ::
Custom Search