Solved: How do keep splunk from removing syslog priority f...

Chris_R_ · ‎02-08-2010

How do keep splunk from removing syslog priority fields? They are removed once indexed into splunk.

Chris_R_ · ‎02-08-2010

There is a optional flag within inputs.conf you can place in any UDP input stanza, such as

[udp://514]

no_priority_stripping = true

This will keep your priority field on any syslog events indexed into splunk via udp port 514

View solution in original post

Chris_R_ · ‎02-08-2010

There is a optional flag within inputs.conf you can place in any UDP input stanza, such as

[udp://514]

no_priority_stripping = true

This will keep your priority field on any syslog events indexed into splunk via udp port 514

Chris_R_ · ‎05-19-2010

Unfortunately this only works with syslog via UDP inputs.
If using a tcp input, you would have to set up a props/transforms entry to store these fields.

balbano · ‎05-19-2010

will this also work for SSL? for example:

[splunktcp-ssl:9996]
compressed = true
no_priority_stripping = true

Kindly confirm.

Thanks!

Brian

How do keep splunk from removing syslog priority fields?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services