Getting Data In

syslog priority/level not logged?

NK_1
Path Finder
Is there any way to distinguish the various priorities/levels of syslogged messages when viewed from Splunk?
I don't see a field that will distinguish the following messages: 

logger -t MYTAG -p local1.emerg Testing facility and priority/level.
logger -t MYTAG -p local1.alert Testing facility and priority/level.
logger -t MYTAG -p local1.crit Testing facility and priority/level.
logger -t MYTAG -p local1.err Testing facility and priority/level.
logger -t MYTAG -p local1.warning Testing facility and priority/level.
logger -t MYTAG -p local1.notice Testing facility and priority/level.
logger -t MYTAG -p local1.info Testing facility and priority/level.
logger -t MYTAG -p local1.debug Testing facility and priority/level.
Tags (2)
0 Karma
1 Solution

FunPolice
Path Finder

The information is in the event, so you just need to "teach" Splunk how to see it.

The easiest way is to use the interactive field extractor (search for "extract fields" in the User Manual). If that isn't successful then find the extractions in props.conf (probably under $SPLUNK_HOME/etc/users/MyUserName/AppName/Local) and tweak them. They might look something like this (after tweaking):

[sourcetype_name]
EXTRACT-SyslogFacility = (?i)^.*-p\s(?P<Facility>[^\.]*)
EXTRACT-SyslogSeverity = (?i)^.*-p\s\W*\.(?P<Severity>[^\s]*)

There are umpteen different ways to extract the same data with regexes and I'm no guru so hopefully someone else can provide some tips on optimising this. For a start you could merge them into one extraction:

EXTRACT-SyslogFacSev = (?i)^.*-p\s(?P<Facility>[^\.]*)\.(?P<Severity>[^\s]*)

This regex says:

  • (?i) = ignore case
  • ^ = beginning of line
  • .* = any amount of any character
  • -p = "-p"
  • \s = one whitespace
  • (?P[^.]*) = capture any characters up to the next "." and call them "Facility"
  • . = "."
  • (?P[^\s]*) = capture any characters up to the next whitespace and call them "Facility"

You could also use "alternatives," where you list all of the possible options that could be the facility or priority, but I'm not sure if that would be any more efficient.

I find Expresso really handy for learning about and testing regexes. Just remember to add the "P" in to the capture group when you paste it into props.conf

View solution in original post

FunPolice
Path Finder

The information is in the event, so you just need to "teach" Splunk how to see it.

The easiest way is to use the interactive field extractor (search for "extract fields" in the User Manual). If that isn't successful then find the extractions in props.conf (probably under $SPLUNK_HOME/etc/users/MyUserName/AppName/Local) and tweak them. They might look something like this (after tweaking):

[sourcetype_name]
EXTRACT-SyslogFacility = (?i)^.*-p\s(?P<Facility>[^\.]*)
EXTRACT-SyslogSeverity = (?i)^.*-p\s\W*\.(?P<Severity>[^\s]*)

There are umpteen different ways to extract the same data with regexes and I'm no guru so hopefully someone else can provide some tips on optimising this. For a start you could merge them into one extraction:

EXTRACT-SyslogFacSev = (?i)^.*-p\s(?P<Facility>[^\.]*)\.(?P<Severity>[^\s]*)

This regex says:

  • (?i) = ignore case
  • ^ = beginning of line
  • .* = any amount of any character
  • -p = "-p"
  • \s = one whitespace
  • (?P[^.]*) = capture any characters up to the next "." and call them "Facility"
  • . = "."
  • (?P[^\s]*) = capture any characters up to the next whitespace and call them "Facility"

You could also use "alternatives," where you list all of the possible options that could be the facility or priority, but I'm not sure if that would be any more efficient.

I find Expresso really handy for learning about and testing regexes. Just remember to add the "P" in to the capture group when you paste it into props.conf

Ayn
Legend

Jason
Motivator

Yes. That answer tells you about no_priority_stripping, which you will need to set in your inputs.conf for that udp input, in order to get the priority field.

0 Karma
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...