Configuring property autodetection for log source types

When you enable Property Autodetection, new properties are automatically generated to capture all fields that are in the events that the selected log source type receives. Configure property autodetection of new properties for a log source type so that you do not need to manually create a custom property for each instance.

1. In the DSM Editor, select a log source type or create a new one from the Select Log Source Type page.
2. Click the Configuration tab.
3. Restriction: Property autodetection works only for structured data that is in JSON, CEF, LEEF, XML or Name Value Pair format.
   Click Enable Property Autodetection.
4. Select the structured data format for the log source type from the Property Detection Format list.
   If you choose Name Value Pair, in the Delimiter In Name Value Pairs section, enter the delimiter used to separate each name and value, and the delimiter used to separate each Name Value Pair. Delimiters for each pair are automatically created.
5. To enable new properties to use in rules and searches, click Enable Properties for use in Rules and Search Indexing.
6. In the Autodetection Completion Threshold field, set the number of consecutive events to inspect for new properties.
   If no new properties are discovered when the number of consecutive events are inspected, the discovery process is considered complete and Property Autodetection is disabled. You can manually re-enable Property Autodetection at any time. A threshold value of 0 means that the discovery process perpetually inspects events for the selected log source type.
7. Click Save.