Create a Source Rule

  1. From the Controller top navigation bar, click Analytics.
  2. From the left navigation panel, click Configuration > Log Analytics.You see two tabs, one for Source Rules and one for Agent Scopes.
  3. From the Source Rules tab, click + Add . You see the Add Source Rule panel.
  4. In the Add Source Rule panel, select your starting point for the source rule. Note that you can also use a job file as the starting point for your source rule. See Migrate Log Analytics Job Files to Source Rules.
  5. Use Collection Type to indicate if the source log file resides on the local filesystem or will be collected from a network connection.
    Note: Collecting from a network connection is only used for a TCP source rule, which extracts log analytics fields from {{syslog}} messages over TCP. See Collect Log Analytics Data from Syslog Messages.
  6. Use the Browse button to locate and specify a sample log file to preview the results of your configuration. You can also specify a sample file later in the configuration process during the field extraction step.
  7. Click Next to see the Add Source Configuration page. Some fields may be prepopulated with data if you selected either an Splunk AppDynamics template or an existing source rule as your starting point. The four tabs are:
    • General
    • Field Extraction
    • Field Customization
    • Agent Mapping
  8. On the General tab, name your rule, specify its location, timestamp handling, and other general characteristics. See General Configuration.
  9. On the Field Extraction tab, configure the fields that you want to capture from your log file. For more details on the fields on this subtab, see Field Extraction. For a detailed procedure on using Auto Field Extraction, see Field Extraction for Source Rules.
    Note: Use the simplest possible regular expressions and grok matching patterns. Do not make excessive use of wildcards or quantifiers as it can slow the responsiveness of the Controller UI. Examples of expensive and greedy quantifiers can be found here https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html
  10. On the Field Management tab, you can customize the handling of fields in a number of way including masking sensitive data, renaming fields, changing the data type and more. See Field Management. Mask Value: Use this option to mask values of sensitive data such as credit card numbers or social security numbers. Select Mask Value and enter the starting index and ending index (1 and 4 respectively for the example shown) and a character to use for masking in the display, such as an * asterisk. Replace Value: Use this option to replace the entire data field with a static string. Select Replace Value and enter the string to use:
  11. On the Agent Mapping tab, assign the source rule to specific Agent Scopes.
  12. Click Save when you are finished. The source rule is saved in a disabled state.