Hello,
You can do this by using enrichment.
You can add a custom enrichment source which contains the data source and datacenter information. Then this source can be used in enrichment policy with rules like; data source must be present for the enrichment criteria, and data source matches the one in the csv.
This will add additional fields to the logs based on your enrichment source, like “datacenter=Paris”
Hope this answers your question.
Hi Jerome,
Rupsan’s answer is definitely the recommended way to go.
Alternatively, if you find that you are using normalization packages instead of compiled normalizers for the said device, then you can also clone the corresponding vendor normalization packages and edit the signatures to add a new field as datacenter = Paris.
Hi,
both previous answers are correct, nevertheless there is an other way by creating a labeling package and add Paris as a label to the logs.
Greetings
Irakli
Please sign in to leave a comment.
3 comments