There is a log source that publishes events in JSON format, but the field name is in 3-digit numbers, not in English, like below:
{"xyzEvent" : {111 : "2017-03-20 02:58:02.000",222 : "New", 333 : "Alex Bob"}}
I wanted to rename those field names when the events arrive, not when support users search in the application.
For example, I wanted to rename 111 to "TimeStamp"; 222 to "EventType"; 333 to "User", etc.
Could you advise the easiest way to do so?
Ways I have tried:
I was thinking to config the search props.conf to specific those fields, but it seems I can only config based on regex. It does not seem to be an efficient way...
↧