"no-priority-stripping" is set to False by default. I'm sure there's a good reason for that, but Splunk doesn't seem to index the priorities before stripping them, which makes it difficult for me to narrow down events. I've tried "anomalies" and a couple of other search modifiers, but I still get results I don't need (e.g. non-important maillog entries).
Any ideas, how do others do it ?
It needs to be set to true.
[udp://514]
no_priority_stripping = true
This will keep your priority field on any syslog events indexed into splunk via udp port 514. This won't work for TCP syslog though.