I'm about to help a client get some data split into different sourcetypes from syslog, based on a facility code set by the device.
Assuming I turn on no_priority_stripping
in the udp input, is there a more elegant solution than just regexing off of _raw to split this out? Or are facility/priority codes not pulled out at index time?
They are not handled specially, so you'd need to use a regular expression against the _raw data.
They are not handled specially, so you'd need to use a regular expression against the _raw data.