How many times has your search shown raw syslog data, then attempted to process as RFC 5424 (e.g. "correct" syslog) and oh wouldntyaknowit the access point logs don't match the spec. That's ok, Gravwell can adjust our autoextractor to pull out the fields you want and process as JSON, all without having to re-ingest or alter any sort of schema.
Because Gravwell is structure-on-read, we can do a minor tweak to our query and pull the JSON from the Ubiquiti logs for analysis and apply that retroactively.
No data is lost while we "fixed" any schema. No upfront work is required either. Gravwell can do this on the fly at any time, which is crucial for investigating basic things like this syslog or complicated things like attackers exfiltrating data over DNS.