Hello,
I might be able to help. As for your first question.
Depends on how you setup your environment for searching a particular application.
This can be done either with a unique field or tag to sort through the ingest logs. This can be done through a pipeline, extractor or from the source (log Shipper).
Example from the source. This is a remote server in my environment. I was extracting logs from a application call NextCloud using NXlog. I created a input called the same name as my application
“nextcloud”.
<Input nextcloud>
Module im_file
FILE "/mnt/nextcloud-data1/nextcloud.log"
SavePos TRUE
ReadFromLast TRUE
PollInterval 1
Exec $Message = $raw_event;
</Input>
Now here is what I receive on my GL server.
I just use the field called SourceModuleName to route my messages to stream. Therefor, I do not need to create a extractor/pipeline for a new field.
As you can see I can have multiple ones. As shown on my widget below.
Depending on what type of log shipper your using this is possible.
You could use a pipeline to grab what you need and route-to-stream that way also. I guess the main subject here is you may need the correct field first.
Hope that helps
EDIT: is this the same post?