Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Information missing on Splunk syslog

are0002
Path Finder
‎06-13-2012 09:15 AM

Hi,

I have a network device that sends to Splunk syslog messages using udp 514. The messages are like:

Wed Jun 13 17:37:09 2012: <182>receive event capwap disconnect: eventid = 88: length = 0
Wed Jun 13 17:37:46 2012: <182>[wifi]: wifi0: reduce CCA to 49
Wed Jun 13 17:37:51 2012: <182>CAPWAP: capwap predefine server name file isn't exist.
(this messages are captued using tftpd32 syslog server)

When I receive these messages in Splunk I see that string "<182>" is missed. I used "Show source" option search view, and I got this messages:

Jun 13 17:37:09 213.96.11.95 receive event capwap disconnect: eventid = 88: length = 0
Jun 13 17:37:46 213.96.11.95 [wifi]: wifi0: reduce CCA to 49
Jun 13 17:37:51 213.96.11.95 CAPWAP: capwap predefine server name file isn't exist.

Does anyone know what's happening?

Regards,

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution

JoeIII
Path Finder
‎07-16-2013 06:48 AM

To elaborate on the earlier answer:

By default, splunk strips the syslog priority from incoming syslog messages.

to stop this behavior, add "no_priority_stripping = true" to your syslog source.

there is an app on splunkbase syslog_priority_lookup that will extract this and create facility and severity fields at search time - very useful information.

0 Karma
Reply
Solved! Jump to solution

are0002
Path Finder
‎06-13-2012 09:20 AM

I can see in the network capture that <182> is the syslog level info.
It seems Splunk does not analyse syslog protocol correctly.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...