Create Log Source Virtualization Templates
- On the main toolbar, click Deployment Manager.
- On the Tools menu, click Administration, and then click Log Source Virtualization Template Manager.
On the upper-left side of the Log Source Virtualization Template Manager, click the plus sign to create a new template.
The Log Source Virtualization Template Properties dialog box appears.Enter a name for the template.
(Optional) Enter a description for the Template.
Click the Associate Virtual Source button.
The Virtual Log Source Manager dialog box appears.Select the Action check box for each of the virtual log sources that you want to include in the template, and then click Associate.
In the Log Source Virtualization Template Properties dialog box, sort the virtual log sources as needed for the regexes to properly run from top to bottom against the parent log source.
Proper sort order is essential in cases where one regex only differs from another by having additional identifiers at the end of it. For example, if a regex such as ^.*SSN LOOKUP:.*$ is sorted to run before a regex of ^.*SSN LOOKUP:.*XXX.*$, virtual log sources that should be matched with the latter regex will be incorrectly matched with the former.
Select a virtual log source that needs to be resorted.
Click either the Up or Down sorting arrow icons as necessary to move the virtual log source into a suitable position in the hierarchy.
Repeat steps a and b as needed until all the virtual log sources are properly sorted.
(Optional) To test the template’s parsing accuracy, click Test Template.
The Test Virtual Log Source Template dialog box appears.In the Sample Log(s) text box, enter a collection of sample logs and click Test.
The Test Virtual Log Source Template dialog box appears.In the Match Regex Test Results window, verify whether the sample logs were correctly parsed based on the number of logs assigned to each virtual log source, then click OK.
Repeat the previous steps as necessary until you achieve the results you want.
Click OK to save.