Hi. I need to add noprioritystripping = true to my UDP syslog input so that I can create a lookup for the facility and priority fields. But when I do this, line breaking doesn't work properly. What I'd like to do is LINE_BREAKER = (<\d+>), but of course, this strips out the characters that I need for the lookup. How do I configure this input to break on that regex, but retain those characters in the event?
Here are some sample events:
<85>Mar 21 13:16:22 C220-FCH1922V34X AUDIT: Login success (user:iseadmin, ip:192.168.10.10, service:sshd)
<85>Mar 21 13:16:22 C220-FCH1922V34X AUDIT: Session open (user:iseadmin, ip:192.168.10.10, id:63, type:CLI)
<85>Mar 21 13:16:53 C220-FCH1922V34X AUDIT: Session close (user:iseadmin, ip:192.168.10.10, id:63, type:CLI)
My goal is to lookup for the value 85 and return two new fields. And this will work, if I can get the lines to break as I described above:
According to inputs.conf.spec (https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Inputsconf) if noprioritystripping is set to true it causes instance to NOT strip the syslog field from received events. However, for breaking events correctly try creating a new sourcetype in your props.conf file as such:
MAXTIMESTAMPLOOKAHEAD = 20
TIMEFORMAT = %b %d %H:%M:%S
TIMEPREFIX = <\d+>
LINEBREAKER = ^
SHOULDLINEMERGE = false
TRUNCATE = 5000
MAXTIMESTAMPLOOKAHEAD, TIMEPREFIX, TIMEFORMAT and SHOULD_LINEMERGE controls line breaking. Note TRUNCATE is thrown in for best practice purpose only.
Then inside your inputs.conf add this statement underneath the stanza for your input: