topic Re: Splunk Indexer stripping out fields when receiving data from SplunkLF Client in Getting Data In

Splunk Indexer stripping out fields when receiving data from SplunkLF Client

balbano — Thu, 20 May 2010 21:25:48 GMT

Apparently my indexer is stripping out the syslog-ng flag fields ([INFO], [WARNING], and [CRIT]) when indexing syslog-ng logs it receives from a Splunk Light Indexer. Any reason for this? Do I need to do anything to inputs.conf or put an entry in props.conf or transforms.conf? Any help would be appreciated.

Thanks!!!

Brian

Re: Splunk Indexer stripping out fields when receiving data from SplunkLF Client

the_wolverine — Fri, 21 May 2010 04:12:00 GMT

In your inputs.conf, try setting the following for your udp/syslog input:

no_priority_stripping = true

Otherwise, syslog priority is stripped by default.

Re: Splunk Indexer stripping out fields when receiving data from SplunkLF Client

balbano — Fri, 21 May 2010 07:21:49 GMT

for the indexer or the deployment client?

Re: Splunk Indexer stripping out fields when receiving data from SplunkLF Client

the_wolverine — Fri, 21 May 2010 20:52:37 GMT

This is a inputs.conf setting that goes on your lightforwarder.

Re: Splunk Indexer stripping out fields when receiving data from SplunkLF Client

balbano — Tue, 25 May 2010 03:56:53 GMT

wolverine, doesn't look like it worked for me.... here is the snippet I appended to the default Splunk LF inputs.conf file which I am deploying to my forwarders:

[monitor:///var/log/]
disabled = false
index = sec
no_priority_stripping = true

Is that not correct? Pls. confirm. Thanks.

Re: Splunk Indexer stripping out fields when receiving data from SplunkLF Client

Genti — Wed, 26 May 2010 05:40:05 GMT

You did ./splunk restart after you edited your config file, aye? (sorry for asking, but you have no idea how many forget to do it..)

Re: Splunk Indexer stripping out fields when receiving data from SplunkLF Client

balbano — Wed, 26 May 2010 06:58:22 GMT

i modded the config via deployment server, which is suppose to do a splunk restart after receiving config changes, so it should have worked. Maybe I'll try to test by rebooting from the light forwarder itself to see if that fixes the issue. Thanks.

Re: Splunk Indexer stripping out fields when receiving data from SplunkLF Client

gkanapathy — Mon, 28 Sep 2020 09:12:53 GMT

no_priority_stripping is only relevant on UDP (syslog) inputs. It won't affect file data. I find it unlikely that fields are actually being removed from the files themselves however, unless you've got a specific TRANSFORM or SEDCMD rule to do it. Are you mixing config and input types with your questions? The behavior and config for "monitor:" vs "udp:" is different.

Re: Splunk Indexer stripping out fields when receiving data from SplunkLF Client

balbano — Thu, 27 May 2010 00:33:11 GMT

gkanapathy, I have my Splunk Light Forwarders sending syslog-ng logs to the central indexers via TCP 9996 (over SSL). I have never modified default transform.conf file. So I'm not really sure. I just happened to notice when comparing the logs locally to the system to what the Splunk Indexer was outputing in the Search App.

Not really sure honestly. I'll keep messing with it I guess.

Brian

Re: Splunk Indexer stripping out fields when receiving data from SplunkLF Client

balbano — Thu, 15 Jul 2010 00:29:52 GMT

gkanapathy, I have tested this with having splunk receive syslog-ng traffic directly on UDP 514 and it did not fix the problem. Any other ideas that I can investigate? Let me know. Thanks.