Splunk Search

Query syslog fields

ChintanaM
Explorer

Dear all,

I have a syslog-ng relay server collecting syslog messages from remote network devices and saving them as log files. Then I have Splunk UF forwarding this data to the splunk cloud. Following is a sample message

 

 

May 30 04:23:54 192.168.1.132 <82>May 30 04:23:54 syslog-data-generator-01 This is a test message from b001-491 2021-05-30T04:23:54.116Z

 

 

And following is my inputs.conf

 

 

[monitor:///var/log/remotelogs/]
disabled = 0
sourcetype = syslog

 

 

I can see the messages collected from splunk cloud by querying _raw

My question: How would I write a query to display [data, host, facility, severity, message]

 

Many thanks in advance

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

host is already extracted so you might want to use a different name

| rex "(?<date>\w+\s\d+\s\d\d:\d\d:\d\d)\s(?<host>[^\s]+)\s<(?<severity>\d+)>(?<msg>.*)"

View solution in original post

0 Karma

ChintanaM
Explorer

Hi @ITWhisperer ,

Thank you for taking time to read my question and respond

Following is what I see

sample message

May 30 04:23:54 192.168.1.132 <82>May 30 04:23:54 syslog-data-generator-01 This is a test message from asanka-496 2021-05-30T04:23:54.168Z

screen-shot

ChintanaM_0-1622382039314.png

 

 

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So which part of the message is which?

May 30 04:23:54 192.168.1.132 <82>May 30 04:23:54 syslog-data-generator-01 This is a test message from asanka-496 2021-05-30T04:23:54.168Z

data or date?

host

facility

severity

message

0 Karma

ChintanaM
Explorer

typo date should be date

May 30 04:23:54 - date

192.168.1.132 - host

<82> - PRI  (facility, severity)

Rest is the message

Cheers

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

host is already extracted so you might want to use a different name

| rex "(?<date>\w+\s\d+\s\d\d:\d\d:\d\d)\s(?<host>[^\s]+)\s<(?<severity>\d+)>(?<msg>.*)"
0 Karma

ChintanaM
Explorer

you are awesome mate !!!!!!! thank you

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Is the example you shared, the _raw message you get when searching your index?

Do you have any interesting fields already extracted for you?

Which part of the message do you want in data(?) host facility etc i.e can you provide a corresponding example of the expected output?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...