I've had some strange experiences where even though I've set up a file type for a specific log file, when it comes up in a search it shows the right value for "_tag", but _type as "basic". Any idea why that is? I've tried re-indexing, but that didn't help.
Hi Thom,
That _tag is associated with the DataSource identify, while the _type is the matching DataType. The basic type is the default type mapping a matching DataType could not be found. Upon Indexing a file the tag and the type will be identified. Also, whenever a datatype is changed then all files with a 'basic' type will be evaluated to see if they meet the criteria in the data type page (doesnt need to be reindexed as types are evalauted at search-time).
So what conditions might cause Logscape to skip a Filetype where the tag name and file name in the filetype item match, but Logscape uses the basic data type? Is it a content match failure?
Hi Thom,
Yes, content has failed to match. The rules for a data type to match are to first match Path/Filename then the pattern. If the pattern fails to match then the next, lower priority type will be tried. When a match cannot be found then basic is applied.
Sorry no. I deleted the old datatype and recreated a new one, then it worked. On a side note, I'm finding it would be helpful to identify the field names captured by each of the datatypes. Also that ability to preview/test results in synthetics parsing. It would save me a lot of time.
