×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
wirelessy
Engager
Member since: ‎06-29-2016
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎06-29-2016
Activity Feed
View All

Re: Field extraction and conditional splitting int...

by in Splunk Search
‎06-30-2016 06:53 AM
‎06-30-2016 06:53 AM
Well, that does indeed explain what I am getting wrong :). Thank you! I took that idea off of this app: https://splunkbase.splunk.com/app/736/ Am I correct on the assumption this would work again, if it wasn't for my 6.4.1 heavy forwarder, but 6.3 or older? Sadly, I am left alone in the field with (so far) zero experience in configuring Splunk. I don't think I fully understand what possibilities I have to achieve that, and where/how to configure those. Could you provide me with a possible way, or just a keyword that I can go dig into? Maybe a similar example, on which I can go full copycat again? ... View more

Field extraction and conditional splitting into di...

by in Splunk Search
‎06-29-2016 07:59 AM
1 Karma
‎06-29-2016 07:59 AM
1 Karma
Hello, In my environment I have a setup of two heavy forwarders forwarding to a set of clustered indexers. I want those forwarders to receive syslog, and depending on the facility/severity the incoming data should be forwarded to different indexes. To get the syslog facility/severity, I want to do a lookup for the priority I receive in the event. To do that lookup, I figured I need a named field for the priority. So I created an app for those forwarders with the following: props.conf: [generic_syslog] EXTRACT-extract_syslog_priority = ^<(?<syslog_priority>\d+)> LOOKUP-lookup_syslog_priority = syslog_priority_lookup syslog_priority OUTPUTNEW syslog_facility, syslog_severity transforms.conf [syslog_priority_lookup] filename = syslog_priorities.csv However, above config does not seem to work. The indexed events have no fields as "syslog_priority", nor "syslog_facility" or the severity. What am I getting wrong here? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All
Karma given to
View All