Archive

How do I extract syslog code to carry out a lookup and create new indexed fields for syslog facility and severity?

corners
New Member

Hi

I'm running Splunk 5.0.4. In the environment I have 2 servers
deploy/heavy forwarder
Search head/indexer.

On the heavy forwarder I have setup the listener for syslog udp:514

C:\Program Files\Splunk\etc\system\local\inputs.conf
[udp://514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true

This is working and forwarding on the syslog events to the indexer and the syslog code is being included but the timestamp is still being included also eg -

<189>: 2016 Mar 17 09:08:18.325 gmt

What I want to do is use the syslog code <189> to do a lookup against a csv to find the matching facility and severity and have the 2 values included as indexed fields within Splunk indexer.

I have atempted to do this by including the following on the Heavy Forwarder (Is this the correct place and server??)

C:\Program Files\Splunk\etc\apps\Aggregator_f\local\props.conf
[source::udp:514]
EXTRACT-extractSyslogcode = (?i)^<(?P<syslog_code>[^>]+)
LOOKUP-SyslogCode = syslog_facility_severity_codes code AS syslog_code OUTPUTNEW facility AS sys_facility, severity AS sys_severity

C:\Program Files\Splunk\etc\apps\Aggregator_f\local\transforms.conf
[syslog_facility_severity_codes]
filename = syslog-codes.csv

The csv file for the lookup is located in

C:\Program Files\Splunk\etc\apps\Health_Aggregator_f\lookups\syslog-codes.csv

If anyone can provide any assistance with this it would be greatly received.

thanks
Steve

Tags (1)
0 Karma
1 Solution

lguinn2
Legend

"What I want to do is use the syslog code to do a lookup against a csv to find the matching facility and severity and have the 2 values included as indexed fields within Splunk indexer."

  1. Lookups only happen at search time. Therefore, you can't put the lookup configuration on a forwarder (well, you can, but it doesn't do anything). The lookup should be configured on the search head (or the indexer if you don't have a separate search head). This also means that you can't index the result of a lookup.
  2. In general (which means 99.99% of the time), index-time fields are a bad idea in Splunk. I know that this is completely counter-intuitive, but it is true. Make your lookup automatic and it will provide the additional fields at search time; to the user, it will appear that these fields are indexed.

View solution in original post

0 Karma

lguinn2
Legend

"What I want to do is use the syslog code to do a lookup against a csv to find the matching facility and severity and have the 2 values included as indexed fields within Splunk indexer."

  1. Lookups only happen at search time. Therefore, you can't put the lookup configuration on a forwarder (well, you can, but it doesn't do anything). The lookup should be configured on the search head (or the indexer if you don't have a separate search head). This also means that you can't index the result of a lookup.
  2. In general (which means 99.99% of the time), index-time fields are a bad idea in Splunk. I know that this is completely counter-intuitive, but it is true. Make your lookup automatic and it will provide the additional fields at search time; to the user, it will appear that these fields are indexed.

View solution in original post

0 Karma

corners
New Member

Thanks for replying.
I did move the settings over to the indexer yesterday after further reading around lookups.
This has resulted in the additional fields being generated at search time.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.