Configuring Property Autodetection for Log Source Types
Configure Property Autodetection of new properties for a log source type so that you do not need to manually create a log source for each instance..
By default, Property Autodetection for a log source type is disabled. Enable Property Autodetection on the Configuration tab. When enabled, new properties are automatically generated to capture all fields that are present in the events that the selected log source type receives. The newly discovered properties appear in the Properties tab of the DSM Editor.
Property Autodetection works only for structured data that is in JSON, CEF, or LEEF format.
- On the navigation menu (), click Admin.
- In the Data Sources section, click DSM Editor.
- Select a log source type or create a new one from the Select Log Source Type window.
- Click the Configuration tab.
- Click Enable Auto Property Discovery.
- Select the structured data format for the log source type from the Property Discovery Format list. The default is JSON.
- To enable new properties to be used in rules and searches, turn on the Enable Properties for use in Rules and Search Indexing.
- In the Discovery Completion Threshold field,
set the number of consecutive events to inspect for new properties.
If no new properties are discovered when the number of consecutive events are inspected, the discovery process is considered complete and Property Autodetection is disabled. You can manually re-enable Property Autodetection at any time. A threshold value of 0 means that the discovery process perpetually inspects events for the selected log source type.
- Click Save.