I have a Symantec Messaging Gateway syslog input that provides syslog with no keys, only values. For example:
2013-07-11T13:13:16-04:00 appliance-name ecelerity: 1373562795|d6038c16-b7fe96d000000710-2d-51dee7aae3dd|SENDER|some-email-address@domain.tld
Right now this entire event is contained within the "_raw" field. The log data is everything after "ecelerity:" and each value is delimited by a pipe character. What I'd like to do is create fields for those values and then index the event so I can search on those fields. The example above would have five fields:
- Epoch Time
- Unique ID
- Action
- Sender Address
It's important to note that the above example is but one among many. Some of the other events have more values and the keys for those values will differ based on the type of event (though everything up to and including the 'Action' field would be consistent across events).
What I need is the means to parse these events and then create rules for each event to add keys to the values. How can I do this? I'm thinking something in the props/transforms, but I'm not exactly sure how.