Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Setting "no_priority_stripping = true" in inputs.conf does not line break my events correctly. How to edit my configurations?

_smp_
Builder
‎03-21-2017 06:50 AM

Hi. I need to add no_priority_stripping = true to my UDP syslog input so that I can create a lookup for the facility and priority fields. But when I do this, line breaking doesn't work properly. What I'd like to do is LINE_BREAKER = (<\d+>), but of course, this strips out the characters that I need for the lookup. How do I configure this input to break on that regex, but retain those characters in the event?

Here are some sample events:

<85>Mar 21 13:16:22 C220-FCH1922V34X AUDIT[17179]: Login success (user:iseadmin, ip:192.168.10.10, service:sshd)
<85>Mar 21 13:16:22 C220-FCH1922V34X AUDIT[17179]: Session open (user:iseadmin, ip:192.168.10.10, id:63, type:CLI)
<85>Mar 21 13:16:53 C220-FCH1922V34X AUDIT[17180]: Session close (user:iseadmin, ip:192.168.10.10, id:63, type:CLI)

My goal is to lookup for the value 85 and return two new fields. And this will work, if I can get the lines to break as I described above:
syslog_facility=authpriv
syslog_severity=notice

0 Karma
Reply

mtolbert_kgi
New Member
‎07-17-2017 08:53 AM

According to inputs.conf.spec (https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Inputsconf) if no_priority_stripping is set to true it causes instance to NOT strip the syslog field from received events. However, for breaking events correctly try creating a new sourcetype in your props.conf file as such:

[new_source_type]
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %b %d %H:%M:%S
TIME_PREFIX = <\d+>
LINE_BREAKER = ^
SHOULD_LINEMERGE = false
TRUNCATE = 5000

where:

MAX_TIMESTAMP_LOOKAHEAD, TIME_PREFIX, TIME_FORMAT and SHOULD_LINEMERGE controls line breaking. Note TRUNCATE is thrown in for best practice purpose only.

Then inside your inputs.conf add this statement underneath the stanza for your input:

sourcetype=new_source_type

0 Karma
Reply

woodcock
Esteemed Legend
‎03-21-2017 07:33 AM

You really need to show sample events.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...