Databases Reference
In-Depth Information
Attributes with class
As you dig into configurations, you will see attribute names of the form
FOO-bar
.
The word after the dash is generally referred to as the class. These attributes are
special in a few ways:
• Attributes merge across files like any other attribute
• Only one instance of each class will be applied, according to the rules
described previously
• The final set of attributes is applied in ASCII order by the value of class
Once again, say we are presented with an event with the following fields:
sourcetype=foo_type
source=/logs/abc/def/gh.log
host=dns4.nyc.mycompany.com
And say that this is the configuration snippet:
[foo_type]
TRANSFORMS-a = from_sourcetype1, from_sourcetype2
[source::/logs/.../*.log]
TRANSFORMS-c = from_source_b
[source::/logs/abc/.../*.log]
TRANSFORMS-b = from_source_c
[host::*nyc*]
TRANSFORMS-c = from_host
The surviving transforms would then be:
TRANSFORMS-c = from_source_b
TRANSFORMS-b = from_source_c
TRANSFORMS-a = from_sourcetype1, from_sourcetype2
To determine the order in which the transforms are applied to our event, we sort the
stanzas according to the values of their classes, in this case,
c
,
b
, and
a
. This gives us:
TRANSFORMS-a = from_sourcetype1, from_sourcetype2
TRANSFORMS-b = from_source_c
TRANSFORMS-c = from_source_b
Search WWH ::
Custom Search