To capture and present log records as analytics data, you must configure one or more log sources for the Analytics Agent. The Analytics Agent uses the log source configuration to:
- Capture records from the log file
- Structure the log data according to your configuration
- Send the data to the Analytics Processor.
The Controller presents the Log Analytics data in the Analytics UI.
Before attempting to configure Log Analytics, confirm you have installed and configured the components described in Install Agent-Side Components and, for on-premises, Custom Install and Events Service Deployment.
Versions < 4.3 use job files to configure the log sources. You may continue to use job files that were created in previous versions. If you want to collect new log events into our platform, we recommend that you use the Centralized Log Management UI to define source rules. You may also find it useful to replace existing job file configurations with the new source rules so you can take advantage of new features introduced in 4.3. See Migrate Log Analytics Job Files to Source Rules.
To configure data collection for your log sources, see Configure Log Analytics Using Source Rules.
In Controller < 4.3, you could extract fields from logs in the Controller UI. This is described on the Create Extracted Fields from Logs page. This option is not available >= 4.3. It is replaced entirely by Field Extraction in the Centralized Log Management UI. See Configure Log Analytics Using Source Rules for details.
Fields that were extracted by this mechanism in previous versions appear in the Extracted Fields list. Hovering over the field reveals a View icon. Click the View icon to delete the field or to see the configuration details: