Hello all - I’m currently working on onboarding the data below into Splunk from Fleet but wasn’t sure about the

s

field values (0,1,2) stand for. I believe it stands for

severity

but wasn’t sure on what the 0/1/2 stands for (INFO,WARNING,FATAL?). Was curious if anyone knows what they stand for. Oh - does anyone know what the

i

field stand for too? Thanks!

{
  "s": 0,
  "f": "interface.cpp",
  "i": 110,
  "m": "Registering extension (kolide, 16829, version=, sdk=)",
  "h": "hash_here",
  "c": "Fri Mar 19 21:03:27 2021 UTC",
  "u": 1616187807
}

Try looking in osquery docs or asking in #general, as this is just an osquery status log.

Gotcha, thanks for the response @zwass!