Hi,
I'm trying to test splunks handling of structured data using an RFC 5494 compliant message. When I netcat the following message to port 516 (where splunk is listening via a UDP input, sourcetype syslog),
echo -n '<165>1 2011-02-04T20:06:00.000000+02:00 superhostomg progname - ID47 [exampleSDID@32473 iut="9" eventSource="rawr" eventID="123"] Message portion. Test log with structured data.' | nc -w 1 -u localhost 516
It results in splunk indexing the following:
Feb 8 01:38:34 localhost.localdomain 1 2011-02-04T20:06:00.000000+02:00 superhostomg progname - ID47 [exampleSDID@32473 iut="9" eventSource="rawr" eventID="123"] Message portion. Test log with structured data.
host=localhost.localdomain | sourcetype=syslog | source=udp:516
So as you can see, it's just pushing everything to the message portion of the log entry. Syslog-ng parses this message fine in the same manner. I would expect splunk with a "syslog" sourcetype to automatically parse RFC 5424 compliant messages. What am I doing wrong?
... View more