topic How do keep splunk from removing syslog priority fields? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-do-keep-splunk-from-removing-syslog-priority-fields/m-p/9668#M141 <P>How do keep splunk from removing syslog priority fields? They are removed once indexed into splunk.</P> Tue, 09 Feb 2010 02:33:49 GMT Chris_R_ 2010-02-09T02:33:49Z How do keep splunk from removing syslog priority fields? https://community.splunk.com/t5/Getting-Data-In/How-do-keep-splunk-from-removing-syslog-priority-fields/m-p/9668#M141 <P>How do keep splunk from removing syslog priority fields? They are removed once indexed into splunk.</P> Tue, 09 Feb 2010 02:33:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-keep-splunk-from-removing-syslog-priority-fields/m-p/9668#M141 Chris_R_ 2010-02-09T02:33:49Z Re: How do keep splunk from removing syslog priority fields? https://community.splunk.com/t5/Getting-Data-In/How-do-keep-splunk-from-removing-syslog-priority-fields/m-p/9669#M142 <P>There is a optional flag within inputs.conf you can place in any UDP input stanza, such as</P> <P>[udp://514]</P> <P>no_priority_stripping = true</P> <P>This will keep your priority field on any syslog events indexed into splunk via udp port 514</P> Tue, 09 Feb 2010 02:36:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-keep-splunk-from-removing-syslog-priority-fields/m-p/9669#M142 Chris_R_ 2010-02-09T02:36:00Z Re: How do keep splunk from removing syslog priority fields? https://community.splunk.com/t5/Getting-Data-In/How-do-keep-splunk-from-removing-syslog-priority-fields/m-p/9670#M143 <P>will this also work for SSL? for example:</P> <P>[splunktcp-ssl:9996]<BR /> compressed = true<BR /> no_priority_stripping = true</P> <P>Kindly confirm. </P> <P>Thanks!</P> <P>Brian</P> Mon, 28 Sep 2020 09:12:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-keep-splunk-from-removing-syslog-priority-fields/m-p/9670#M143 balbano 2020-09-28T09:12:39Z Re: How do keep splunk from removing syslog priority fields? https://community.splunk.com/t5/Getting-Data-In/How-do-keep-splunk-from-removing-syslog-priority-fields/m-p/9671#M144 <P>Unfortunately this only works with syslog via UDP inputs.<BR /> If using a tcp input, you would have to set up a props/transforms entry to store these fields.</P> Thu, 20 May 2010 06:25:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-keep-splunk-from-removing-syslog-priority-fields/m-p/9671#M144 Chris_R_ 2010-05-20T06:25:07Z