Thanks appreciate the screenshots. These are the same steps I have followed in the past however there are a few key differences in what it allows me to do:
* The parser applied to the data source is pre-defined standard by McAfee so I can't change it however it allows me to copy it and make changes to the copied ones which I did and disabled the original parser.
* With the old parser disabled and the new parser enabled with the normalization changed it still hit the data source rules relating to the old parser so I disabled those also (as they cannot be deleted, modified or copied)
* With the old data source rules disabled I had hoped the new parser would generate new auto learned data source rules however it unfortunately did not.
Unfortunately as this has taken too long I have had to take another approach which has worked.
I have setup the devices to send their logs in a different format and used a different parser which has generated a bunch of new auto learned data source rules which I can modify the normalization on without issue. This provides the functionality I require so I am going to stick with it. I have to do a little tuning on the parser to get all the fields correct but this is a lot quicker than trying to use the parser "JUNOS_SD Structured-Data Message"
Because you an issue with the data source that why did not succeed to change the normalized ID.
So in order to avoid this problem you did setup the device to send their logs in a different format and used a different parser will give you the ability to modify the normalization without any issue.
Because the procedure that I did give to you is already used so many times to solve the issue unless you have a problem at the data source which is another issue.