Properties in the DSM Editor
In the DSM Editor, normalized system properties are combined with custom properties and are sorted alphabetically.
A DSM cannot have multiple properties with the same name.
The configuration of a system property differs from a custom property.
System properties cannot be deleted but you can override the default behavior. There are two types of system properties:
Predefined system property -- Displays the default JSA behavior that is used for the DSM.
Override system property -- System properties with override configured (log source extension) show Override in the status line. When a system property has an override, a log source extension for that DSM uses the regular expressions that you entered for the configuration.
Custom properties show Custom in the status line.
Custom properties differ from system properties in these ways:
Custom properties display Custom below their name.
Custom properties have no Override system behavior check box.
To make a custom property available for rules and search indexing, select the Enable this Property for use in Rules and Search Indexing check box when you create a custom property.
When you select this option, JSA attempts to extract the property from events as soon as they enter the pipeline. Extracted property information and the remainder of the event record are persisted. The property does not need to be extracted again when it is used in a search, or report. The process enhances performance when the property is retrieved, but the process can have a negative impact on performance during event collection and storage.
Custom properties must have one or more expressions to be valid.