As I read the Sumologic description of Source Host and Source Name compared to Amazon CloudWatch Logs description of Log Streams and Log Groups, Source Host seems to map much better to a Log Stream, and Source Name seems to map much better to a Log Group:
Source Host: "...Sumo Logic recommends that you carefully select a meaningful name that uniquely identifies the host from which data is collected..."
Log Stream: "...a log stream is generally intended to represent the sequence of events coming from the application instance or resource..."
Source Name: "... the file path entered when you created your Source..."
Log Group: "...a typical log group organization for a fleet of Apache web servers could be the following: MyWebsite.com/Apache/access_log, or MyWebsite.com/Apache/error_log..."
However, the log collector maps them opposite.
I understand swapping this would probably mess with many clients' queries if they actually consumed it, so I don't have a problem forking this for our own purposes. I don't want to use the overrides or map in my log data, because this is extra duplicate configuration I don't want to manage.
But we are wondering why it wouldn't be mapped like this? What is the logic?
Please sign in to leave a comment.