I have close to 20 syslogd/syslog-ng streams coming in on 3 ports: udp/10513, tcp/10514, tcp/10515. Each stream has it's own unique proto/port/priority combination. I'd like to create a field based on these parameters so later I could easily separate these streams for various users in the company.
As you probably know, priority is the first number at the beginning of a line, <22> in the line below
So I was thinking about creating the priority field, and then two more off of it: facility and severity (priority = (facility * 😎 + severity). Then I wanted to do some kind of table lookup and create yet another field - log_file_type:
- IF udp:10513 and facility=2 THEN log_file_type=MAIL
- IF tcp/10515 and facility=17 THEN log_file_type=JCACHE_NOHUP
- etc, etc
I found out about transformers.conf and props.conf and I can only parse out <22> and assign it to the priority filed. The minute I try to do math everything falls apart. I don't really care at this point whether it will be search- or index-time... I was told I better not touch index-time processing.