You can add a new source filter that is assigned to the data model.
The source filters bind multiple data models to a log source.
Procedure
In the
Source filter field, enter the source filter statement that is assigned for this data model. Source filters can only be used on one or more system columns. All filter statements as described in the
FILTER Statement section are supported, except that if a full text search is desired, it must be specified explicitly, for example,
sys_body CONTAINS '<searchstring>'.
For example,
sys_sourceType=165 (device type ID that is retrieved from LMI) AND sys_body CONTAINS '<searchstring>'
Note: If you specify multiple data models, the first model whose filter matches with the event is used to parse that event, extracting all columns specified by that model.
Click
Validate to validate the filter statement.
To add a new parsing rule, click
2. Add sample events and parsing rules or click
located on the right side of the page. or, To add only the source filter, click
Save.
located on the right side of the page. or, To add only the source filter, click
