Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

syslog priority/level not logged?

NK_1
Path Finder
‎01-18-2012 11:47 AM 
Is there any way to distinguish the various priorities/levels of syslogged messages when viewed from Splunk?
I don't see a field that will distinguish the following messages: 

logger -t MYTAG -p local1.emerg Testing facility and priority/level.
logger -t MYTAG -p local1.alert Testing facility and priority/level.
logger -t MYTAG -p local1.crit Testing facility and priority/level.
logger -t MYTAG -p local1.err Testing facility and priority/level.
logger -t MYTAG -p local1.warning Testing facility and priority/level.
logger -t MYTAG -p local1.notice Testing facility and priority/level.
logger -t MYTAG -p local1.info Testing facility and priority/level.
logger -t MYTAG -p local1.debug Testing facility and priority/level.
Tags (2)
0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution

Re: syslog priority/level not logged?

Ayn
Legend
‎01-18-2012 01:04 PM

This question and answer might prove useful: http://splunk-base.splunk.com/answers/31036/syslog-facility-and-severity-loglevel

Reply
Highlighted
Solved! Jump to solution

Re: syslog priority/level not logged?

Jason
Motivator
‎02-19-2013 03:48 AM

Yes. That answer tells you about noprioritystripping, which you will need to set in your inputs.conf for that udp input, in order to get the priority field.

0 Karma
Reply
Highlighted
Solved! Jump to solution
Solution

Re: syslog priority/level not logged?

FunPolice
Path Finder
‎01-18-2012 03:13 PM

The information is in the event, so you just need to "teach" Splunk how to see it.

The easiest way is to use the interactive field extractor (search for "extract fields" in the User Manual). If that isn't successful then find the extractions in props.conf (probably under $SPLUNK_HOME/etc/users/MyUserName/AppName/Local) and tweak them. They might look something like this (after tweaking):

[sourcetype_name]
EXTRACT-SyslogFacility = (?i)^.*-p\s(?P<Facility>[^\.]*)
EXTRACT-SyslogSeverity = (?i)^.*-p\s\W*\.(?P<Severity>[^\s]*)

There are umpteen different ways to extract the same data with regexes and I'm no guru so hopefully someone else can provide some tips on optimising this. For a start you could merge them into one extraction:

EXTRACT-SyslogFacSev = (?i)^.*-p\s(?P<Facility>[^\.]*)\.(?P<Severity>[^\s]*)

This regex says:

  • (?i) = ignore case
  • ^ = beginning of line
  • .* = any amount of any character
  • -p = "-p"
  • \s = one whitespace
  • (?P[^.]*) = capture any characters up to the next "." and call them "Facility"
  • . = "."
  • (?P[^\s]*) = capture any characters up to the next whitespace and call them "Facility"

You could also use "alternatives," where you list all of the possible options that could be the facility or priority, but I'm not sure if that would be any more efficient.

I find Expresso really handy for learning about and testing regexes. Just remember to add the "P" in to the capture group when you paste it into props.conf

View solution in original post

Reply