Hi all, I have followed the instructions contained in https://www.bro.org/sphinx-git/frameworks/logging.html#filtering to create a new field output. I ahve noticed that the fields you choose to include cannot be be re-ordered for display. For example, if I put the ‘ts’ field in the first position like this:
local filter: Log::Filter = [$name="orig-only", $path="origs", $include=set("id.orig_h","ts")];
the record displays with it in the first position. I assume this is because the include set is just a toggle that does not affect display order which is based on the field position in INFO. How to I re-order the the fields for display? Is this done ion the writer?
Thanks!
– Eric –