Getting Data In

Split data into sourcetypes based on syslog Facility code

Jason
Motivator

I'm about to help a client get some data split into different sourcetypes from syslog, based on a facility code set by the device.

Assuming I turn on no_priority_stripping in the udp input, is there a more elegant solution than just regexing off of _raw to split this out? Or are facility/priority codes not pulled out at index time?

Tags (2)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

They are not handled specially, so you'd need to use a regular expression against the _raw data.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

They are not handled specially, so you'd need to use a regular expression against the _raw data.

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...

Inside Event Intelligence: How ITSI Turns Network Alerts into Actionable Incidents

Tech Talk Inside Event Intelligence: How ITSI Turns Network Alerts into Actionable Incidents   Correlating ...

Observability Simplified: Combining User Experience, Application Performance & ...

  Tech Talk Network to App: Observability Unlocked   Today’s digital environments span applications, ...