Broadly Scoped Field Extraction Rule and Hidden Fields
One source category has a combination of several different log files from the same device that should be parsed with FERs for easier searching. The first FER has a broad scope that extracts three fields common to all log file sources. The second FER is narrowly scoped for only one log file source in the category by adding more search words to the scope in addition to the _sourceCategory, as per the documentation. However, the fields from the narrowly scoped FER appear as "Hidden Fields" when searching the first, more broadly-defined scope. Of course, these fields have "Null Value" all over as the fields only apply to the second narrow scope. These fields are confusing, even if hidden.
Why do these Hidden Fields appear when searching the broad scope? Am I doing something wrong?
-
Official comment
Hi Robert,
However, the fields from the narrowly scoped FER appear as "Hidden Fields" when searching the first, more broadly-defined scope. Of course, these fields have "Null Value" all over as the fields only apply to the second narrow scope.
This is expected behavior when you have 2 FERs for the same source Category even if one of them is more narrowly scoped with additional keywords.
From our Best Practices
Avoid targeting the same field name in the same message with multiple FERs. When more than one FER targets the same message with the same field name, one of the rules will NOT apply. The rule applied to the specific field name is randomly selected. Don't use the same field names in multiple FERs that target the same messages.
I apologize for the confusion. The lowest common denominator for multiple FERs would be at the source category level.
Let me know if you have any further questions
Best Regards
Raghu
Please sign in to leave a comment.
Comments
1 comment