How to create a search-time field based on source ...

unixdude · ‎12-09-2011

Very new to Splunk and need help.

I have close to 20 syslogd/syslog-ng streams coming in on 3 ports: udp/10513, tcp/10514, tcp/10515. Each stream has it's own unique proto/port/priority combination. I'd like to create a field based on these parameters so later I could easily separate these streams for various users in the company.

As you probably know, priority is the first number at the beginning of a line, <22> in the line below

<22>Dec  9 12:51:44 sendmail[9017]: [ID 801593 mail.info] pB9KpcPT009015

So I was thinking about creating the priority field, and then two more off of it: facility and severity (priority = (facility * 😎 + severity). Then I wanted to do some kind of table lookup and create yet another field - log_file_type:

- IF udp:10513 and facility=2 THEN log_file_type=MAIL

- IF tcp/10515 and facility=17 THEN log_file_type=JCACHE_NOHUP

- etc, etc

I found out about transformers.conf and props.conf and I can only parse out <22> and assign it to the priority filed. The minute I try to do math everything falls apart. I don't really care at this point whether it will be search- or index-time... I was told I better not touch index-time processing.

Any help is greatly appreciated!

Alex.

unixdude · ‎12-09-2011

Got a semi-satisfactory result with eventtypes.conf



[splunk@splunk01 /opt/splunk/etc/system/local]$ cat eventtypes.conf 

[app on jsp and ejb]

search = source="udp:10513" priority>=145 AND priority<152

"priority>=145 AND priority<152" is a sucky way of saying facility=18 (or local2). I'd very much prefer to use that, so I'm still looking how to calculate facility and severity.

How to create a search-time field based on source port and facility

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life