Log file annotations
The annotations that are defined by the log file index configurations are described here.
The index configuration file is included in the Insight Pack in the sourcetypes.json file (found at <path>/SyslogInsightPack_<version>/metadata), where <path> is the path where you saved the Syslog Insight Pack.
You can customize the artifacts in the index configuration file by creating another source type and modifying a copy of the Syslog index configuration.
The following sections describe the fields that are defined in the index configuration file. These fields, or annotations, are displayed in the IBM® Operations Analytics - Log Analysis Search workspace, and can be used to filter or search the log records. Fields are extracted from the fields of a log record or collected from metadata around the log file. Each table gives the names of the fields (these names correspond to fields in the IBM Operations Analytics - Log Analysis Search workspace), descriptions of how the related annotations are made, and the index configuration attributes assigned to the fields.
Log record annotations
| Field | Description | Attributes |
|---|---|---|
| syslogHostname | The hostname from the message. | |
| syslogRelayHostname | The hostname of the system the message was received from (in a relay chain, this is the system immediately in front, and not necessarily the original sender). | |
| tag | The TAG from the message. | |
| programName | The static part of the tag as defined by BSD syslogd. For example, when TAG is "named[12345]", programName is "named". | |
| processID | The contents of the PROCID field. | |
| facility | The facility from the message. | |
| severity | The severity from the message (in text form). | |
| syslogAppName | The APP-NAME from the message. | |
| message | The MSG (the message) in the log record. | |
Metadata annotations
The following table lists the index configuration fields that relate to metadata annotations.
| Field | Description | Annotation attributes |
|---|---|---|
| datasourceHostname | The host name that is specified in the data source. | |
| timestamp | The timestamp from the log record. | |
| application | The application name that is populated by the service topology data source field. | |
| middleware | The middleware name that is populated by the service topology data source field. | |
| hostname | The host name that is populated by the service topology data source field. | |
| service | The service name that is populated by the service topology data source field. | |
| logRecord | The entire log record output by the splitter. | |