https://community.splunk.com/t5/Getting-Data-In/Is-there-a-document-about-making-a-Syslog-message-stream-quot/m-p/158559#M32154 <P>To "mark as answered" just click the check-mark outline.</P> Sat, 30 Nov 2013 06:26:25 GMT lguinn2 2013-11-30T06:26:25Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-document-about-making-a-Syslog-message-stream-quot/m-p/158554#M32149 <P>I am responsible for an "agent" that sends Syslog messages to a variety of SIEMs and similar software. I have based on trial-and-error introduced some options that seem to make it more "Splunk-friendly." Is there a document that would help with this effort?</P> Wed, 27 Nov 2013 17:10:13 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-document-about-making-a-Syslog-message-stream-quot/m-p/158554#M32149 CharlesM2 2013-11-27T17:10:13Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-document-about-making-a-Syslog-message-stream-quot/m-p/158555#M32150 <P>Splunk knows a lot of syslog-type formats; some of them it recognizes automatically. For others, you can specify the sourcetype that Splunk should use. In the documentation links, I think you will find a syslog format that matches what you have without a lot of work on your part.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0/Data/Listofpretrainedsourcetypes">List of pretrained sourcetypes</A></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0/Data/Whysourcetypesmatter">Why sourcetypes matter</A></P> <P>If you really have the ability and desire to create/use a new format, you can look at this</P> <P><A href="http://dev.splunk.com/view/logging-best-practices/SP-CAAADP6">Logging best practices</A></P> <P>That's pretty cool, but most people don't have that kind of control over the output format. And Splunk works perfectly well with many standard formats. I'm just sorry that you had to do the trial-and-error approach first!</P> Wed, 27 Nov 2013 18:36:24 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-document-about-making-a-Syslog-message-stream-quot/m-p/158555#M32150 lguinn2 2013-11-27T18:36:24Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-document-about-making-a-Syslog-message-stream-quot/m-p/158556#M32151 <P>Great stuff! Thanks! I am doing all of the stuff in the early paragraphs of "Logging Best Practices." I am not using commas but I could trivially -- do commas really help? (I am just using spaces.) Everything is</P> <P>keyword<BR /> label=value<BR /> label="value with embedded blanks"</P> <P>separated by spaces.</P> <P>What about embedded quotation marks in quoted strings? What is the standard?</P> <P>label="As the saying goes, \"a stitch in time saves nine\""<BR /> label="As the saying goes, ""a stitch in time saves nine"""<BR /> label='As the saying goes, "a stitch in time saves nine"'</P> <P>For Syslog data that is standard RFC 3164: <PRI>mmm dd hh:mm:ss hostname and then the tag=value formats above, what should be the pretrained source type?</PRI></P> <P>Thanks again. Don't see a "mark as answer" button.</P> Wed, 27 Nov 2013 19:01:22 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-document-about-making-a-Syslog-message-stream-quot/m-p/158556#M32151 CharlesM2 2013-11-27T19:01:22Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-document-about-making-a-Syslog-message-stream-quot/m-p/158557#M32152 <P>Ooh, it stripped my escapes in the above. My first suggested format escaped the embedded " with backslashes.</P> Wed, 27 Nov 2013 19:02:55 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-document-about-making-a-Syslog-message-stream-quot/m-p/158557#M32152 CharlesM2 2013-11-27T19:02:55Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-document-about-making-a-Syslog-message-stream-quot/m-p/158558#M32153 <P>Ooh, it stripped my escapes in the above. My first suggested format escaped the embedded " with backslashes.</P> Wed, 27 Nov 2013 19:03:01 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-document-about-making-a-Syslog-message-stream-quot/m-p/158558#M32153 CharlesM2 2013-11-27T19:03:01Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-document-about-making-a-Syslog-message-stream-quot/m-p/158559#M32154 <P>To "mark as answered" just click the check-mark outline.</P> Sat, 30 Nov 2013 06:26:25 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-document-about-making-a-Syslog-message-stream-quot/m-p/158559#M32154 lguinn2 2013-11-30T06:26:25Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-document-about-making-a-Syslog-message-stream-quot/m-p/158560#M32155 <P>for quoted strings ,the standard should be</P> <P><CODE>label="As the saying goes, \"a stitch in time saves nine"</CODE><BR /> OR<BR /> <CODE><BR /> label='As the saying goes, "a stitch in time saves nine"'<BR /> </CODE></P> Sat, 30 Nov 2013 16:09:45 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-document-about-making-a-Syslog-message-stream-quot/m-p/158560#M32155 yannK 2013-11-30T16:09:45Z