Configuring Auto Property Discovery for Log Source Types
You can configure auto discovery of new properties for a log source type.
By default, Auto Property Discovery for a log source type is disabled. Auto Property Discovery can be enabled on the Configuration tab. When enabled, new properties are automatically generated to capture all fields that are present in the events that the selected log source type receives. The newly discovered properties appear in the Properties tab of the DSM Editor.
Auto Property Discovery works only for structured data that is in JSON format.
- On the navigation menu (), click Admin to open the admin tab.
- In the Data Sources section, click DSM Editor.
- Select a log source type or create a new one from the Select Log Source Type window.
- Click the Configuration tab.
- Click Enable Auto Property Discovery.
- Select the structured data format for the log source type from the Property Discovery Format list. The default is JSON.
- To enable new properties to be use in rules and searches, turn on the Enable Properties for use in Rules and Search Indexing.
- In the Discovery Completion Threshold field,
set the number of consecutive events to inspect for new properties.
If no new properties are discovered when the number of consecutive events are inspected, the discovery process is considered complete and Auto Property Discovery is disabled. You can manually re-enable Auto Property Discovery at any time. A threshold value of 0 means that the discovery process perpetually inspects events for the selected log source type.
- Click Save.