https://community.splunk.com/t5/Splunk-Search/Query-syslog-fields/m-p/553654#M157197 <P>Is the example you shared, the _raw message you get when searching your index?</P><P>Do you have any interesting fields already extracted for you?</P><P>Which part of the message do you want in data(?) host facility etc i.e can you provide a corresponding example of the expected output?</P> Sun, 30 May 2021 13:35:13 GMT ITWhisperer 2021-05-30T13:35:13Z https://community.splunk.com/t5/Splunk-Search/Query-syslog-fields/m-p/553653#M157196 <P><SPAN>Dear all,</SPAN></P><P><SPAN>I have a syslog-ng relay server collecting syslog messages from remote network devices and saving them as log files. Then I have Splunk UF forwarding this data to the splunk cloud. Following is a sample message</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">May 30 04:23:54 192.168.1.132 &lt;82&gt;May 30 04:23:54 syslog-data-generator-01 This is a test message from b001-491 2021-05-30T04:23:54.116Z</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>And following is my inputs.conf</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[monitor:///var/log/remotelogs/] disabled = 0 sourcetype = syslog</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>I can see the messages collected from splunk cloud by querying _raw</SPAN></P><P><SPAN>My question: How would I write a query to display [data, host, facility, severity, message]</SPAN></P><P>&nbsp;</P><P>Many thanks in advance</P> Sun, 30 May 2021 12:48:38 GMT https://community.splunk.com/t5/Splunk-Search/Query-syslog-fields/m-p/553653#M157196 ChintanaM 2021-05-30T12:48:38Z https://community.splunk.com/t5/Splunk-Search/Query-syslog-fields/m-p/553654#M157197 <P>Is the example you shared, the _raw message you get when searching your index?</P><P>Do you have any interesting fields already extracted for you?</P><P>Which part of the message do you want in data(?) host facility etc i.e can you provide a corresponding example of the expected output?</P> Sun, 30 May 2021 13:35:13 GMT https://community.splunk.com/t5/Splunk-Search/Query-syslog-fields/m-p/553654#M157197 ITWhisperer 2021-05-30T13:35:13Z https://community.splunk.com/t5/Splunk-Search/Query-syslog-fields/m-p/553658#M157198 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;,</P><P>Thank you for taking time to read my question and respond</P><P>Following is what I see</P><P>sample message</P><P><EM><STRONG><SPAN class="t">May</SPAN> <SPAN class="t">30</SPAN> <SPAN class="t">04:23:54</SPAN> <SPAN class="t">192.168.1.132</SPAN> &lt;<SPAN class="t">82</SPAN>&gt;<SPAN class="t">May</SPAN> <SPAN class="t">30</SPAN> <SPAN class="t">04:23:54</SPAN> <SPAN class="t">syslog-data-generator-01</SPAN> <SPAN class="t">This</SPAN> <SPAN class="t">is</SPAN> <SPAN class="t">a</SPAN> <SPAN class="t">test</SPAN> <SPAN class="t">message</SPAN> <SPAN class="t">from</SPAN> <SPAN class="t">asanka-496</SPAN> <SPAN class="t h"><SPAN class="t">2021-05-30T04:23:54</SPAN>.<SPAN class="t">168Z</SPAN></SPAN></STRONG></EM></P><P><SPAN class="t h">screen-shot</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ChintanaM_0-1622382039314.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14373i888A7D080958C9DD/image-size/medium?v=v2&amp;px=400" role="button" title="ChintanaM_0-1622382039314.png" alt="ChintanaM_0-1622382039314.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 30 May 2021 13:41:37 GMT https://community.splunk.com/t5/Splunk-Search/Query-syslog-fields/m-p/553658#M157198 ChintanaM 2021-05-30T13:41:37Z https://community.splunk.com/t5/Splunk-Search/Query-syslog-fields/m-p/553659#M157199 <P>So which part of the message is which?</P><P><EM><STRONG><FONT color="#FF0000"><SPAN class="t">May</SPAN><SPAN>&nbsp;</SPAN><SPAN class="t">30</SPAN><SPAN>&nbsp;</SPAN><SPAN class="t">04:23:54</SPAN></FONT><SPAN>&nbsp;</SPAN><FONT color="#FF00FF"><SPAN class="t">192.168.1.132</SPAN></FONT><SPAN>&nbsp;</SPAN>&lt;<FONT color="#00CCFF"><SPAN class="t">82</SPAN></FONT>&gt;<FONT color="#FF0000"><SPAN class="t">May</SPAN><SPAN>&nbsp;</SPAN><SPAN class="t">30</SPAN><SPAN>&nbsp;</SPAN><SPAN class="t">04:23:54</SPAN></FONT><SPAN>&nbsp;</SPAN><FONT color="#00FF00"><SPAN class="t">syslog-data-generator-01</SPAN></FONT><SPAN>&nbsp;</SPAN><FONT color="#993366"><SPAN class="t">This</SPAN><SPAN>&nbsp;</SPAN><SPAN class="t">is</SPAN><SPAN>&nbsp;</SPAN><SPAN class="t">a</SPAN><SPAN>&nbsp;</SPAN><SPAN class="t">test</SPAN><SPAN>&nbsp;</SPAN><SPAN class="t">message</SPAN><SPAN>&nbsp;</SPAN><SPAN class="t">from</SPAN><SPAN>&nbsp;</SPAN><SPAN class="t">asanka-496</SPAN></FONT><SPAN>&nbsp;</SPAN><FONT color="#FF0000"><SPAN class="t h"><SPAN class="t">2021-05-30T04:23:54</SPAN>.<SPAN class="t">168Z</SPAN></SPAN></FONT></STRONG></EM></P><P><FONT color="#FF0000"><EM>data or date?</EM></FONT></P><P><FONT color="#FF00FF"><EM>host</EM></FONT></P><P><FONT color="#00FF00"><EM>facility</EM></FONT></P><P><FONT color="#00CCFF"><EM>severity</EM></FONT></P><P><FONT color="#993366"><EM>message</EM></FONT></P> Sun, 30 May 2021 13:47:42 GMT https://community.splunk.com/t5/Splunk-Search/Query-syslog-fields/m-p/553659#M157199 ITWhisperer 2021-05-30T13:47:42Z https://community.splunk.com/t5/Splunk-Search/Query-syslog-fields/m-p/553660#M157200 <P>typo <STRONG>date</STRONG> should be <STRONG>date</STRONG></P><P><STRONG><EM><FONT color="#FF0000"><SPAN class="t">May</SPAN><SPAN>&nbsp;</SPAN><SPAN class="t">30</SPAN><SPAN>&nbsp;</SPAN><SPAN class="t">04:23:54 - date</SPAN></FONT></EM></STRONG></P><P><STRONG><EM><FONT color="#FF0000"><SPAN class="t"><FONT color="#FF00FF">192.168.1.132 - host</FONT></SPAN></FONT></EM></STRONG></P><P><STRONG><EM><FONT color="#FF0000"><SPAN class="t"><FONT color="#FF00FF">&lt;<FONT color="#00CCFF">82</FONT>&gt; - PRI&nbsp; (facility, severity)</FONT></SPAN></FONT></EM></STRONG></P><P><STRONG><EM><FONT color="#FF0000"><SPAN class="t"><FONT color="#FF00FF">Rest is the message</FONT></SPAN></FONT></EM></STRONG></P><P>Cheers</P> Sun, 30 May 2021 14:04:06 GMT https://community.splunk.com/t5/Splunk-Search/Query-syslog-fields/m-p/553660#M157200 ChintanaM 2021-05-30T14:04:06Z https://community.splunk.com/t5/Splunk-Search/Query-syslog-fields/m-p/553661#M157201 <P>host is already extracted so you might want to use a different name</P><LI-CODE lang="markup">| rex "(?&lt;date&gt;\w+\s\d+\s\d\d:\d\d:\d\d)\s(?&lt;host&gt;[^\s]+)\s&lt;(?&lt;severity&gt;\d+)&gt;(?&lt;msg&gt;.*)"</LI-CODE> Sun, 30 May 2021 14:15:21 GMT https://community.splunk.com/t5/Splunk-Search/Query-syslog-fields/m-p/553661#M157201 ITWhisperer 2021-05-30T14:15:21Z https://community.splunk.com/t5/Splunk-Search/Query-syslog-fields/m-p/553662#M157202 <P>you are awesome mate !!!!!!! thank you</P> Sun, 30 May 2021 14:17:22 GMT https://community.splunk.com/t5/Splunk-Search/Query-syslog-fields/m-p/553662#M157202 ChintanaM 2021-05-30T14:17:22Z