Getting Data In

How to change or add meta data for syslog facility/priority fields

infrauser
Explorer

I have a syslog box forwarding to splunk for indexing. I have the input type setup as syslog. Unfortunately, it doesn't appear that splunk automatically decodes the syslog facility/priority integer. I would like to either add this meta data to each message (preferred) or change the incoming message (less preferred) before splunk indexes it.

I found a script over at splunkbase which appears to have the logic for the decoding portion, however it looks like this script can only be used during searches.

I would prefer not to go the route of performing the decoding during searching as it seems like it would add quite a bit of overhead compared to having it already indexed with the facility/priority.

Thanks in advance for any advice.

Tags (1)
0 Karma
1 Solution

infrauser
Explorer

Following up, I've read a number of items which discourage the practice of adding fields to the index and instead using search time fields. I ended up creating a lookup file with the priorities, facilities, severity. I then created a field extraction for the syslog priority and then a transform to output the associated facility/severity. – infrauser Dec 22 at 2:07

View solution in original post

0 Karma

Jason
Motivator

Splunk can automatically decode it with the Syslog Priority Field Decoder Lookup app.

</plug>

0 Karma

infrauser
Explorer

Following up, I've read a number of items which discourage the practice of adding fields to the index and instead using search time fields. I ended up creating a lookup file with the priorities, facilities, severity. I then created a field extraction for the syslog priority and then a transform to output the associated facility/severity. – infrauser Dec 22 at 2:07

0 Karma

infrauser
Explorer

Following up, I've read a number of items which discourage the practice of adding fields to the index and instead using search time fields.

I ended up creating a lookup file with the priorities, facilities, severity. I then created a field extraction for the syslog priority and then a transform to output the associated facility/severity.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...