When you enable Property Autodetection, new properties are
automatically generated to capture all fields that are in the events that the selected log source
type receives. Configure property autodetection of new properties for a log source type so that you
do not need to manually create a custom property for each instance.
About this task
By default, Property Autodetection for a log source type is disabled.
Procedure
-
In the DSM Editor, select a log source type or create a new one from the Select Log
Source Type page.
-
Click the Configuration tab.
-
Restriction: Property autodetection works only for structured data that is in JSON, CEF,
LEEF, XML or Name Value Pair format.
Click Enable Property
Autodetection.
-
Select the structured data format for the log source type from the Property
Detection Format list.
If you choose Name Value Pair, in the Delimiter In Name
Value Pairs section, enter the delimiter used to separate each name and value, and the
delimiter used to separate each Name Value Pair. Delimiters for each pair are automatically
created.
-
To enable new properties to use in rules and searches, click Enable Properties for
use in Rules and Search Indexing.
-
In the Autodetection Completion Threshold field, set the number of
consecutive events to inspect for new properties.
If no new properties are discovered when the number of consecutive events are inspected, the
discovery process is considered complete and Property Autodetection is
disabled. You can manually re-enable Property Autodetection at any time. A
threshold value of 0 means that the discovery process perpetually inspects events for the selected
log source type.
-
Click Save.
Results
The newly discovered properties appear in the
Properties tab of the DSM Editor.