I have a syslog box forwarding to splunk for indexing. I have the input type setup as syslog. Unfortunately, it doesn't appear that splunk automatically decodes the syslog facility/priority integer. I would like to either add this meta data to each message (preferred) or change the incoming message (less preferred) before splunk indexes it.
I found a script over at splunkbase which appears to have the logic for the decoding portion, however it looks like this script can only be used during searches.
I would prefer not to go the route of performing the decoding during searching as it seems like it would add quite a bit of overhead compared to having it already indexed with the facility/priority.
Thanks in advance for any advice.
Following up, I've read a number of items which discourage the practice of adding fields to the index and instead using search time fields. I ended up creating a lookup file with the priorities, facilities, severity. I then created a field extraction for the syslog priority and then a transform to output the associated facility/severity. – infrauser Dec 22 at 2:07
Splunk can automatically decode it with the Syslog Priority Field Decoder Lookup app.
</plug>
Following up, I've read a number of items which discourage the practice of adding fields to the index and instead using search time fields. I ended up creating a lookup file with the priorities, facilities, severity. I then created a field extraction for the syslog priority and then a transform to output the associated facility/severity. – infrauser Dec 22 at 2:07
Following up, I've read a number of items which discourage the practice of adding fields to the index and instead using search time fields.
I ended up creating a lookup file with the priorities, facilities, severity. I then created a field extraction for the syslog priority and then a transform to output the associated facility/severity.