×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ConSeannery
Engager
Member since: ‎02-08-2011
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎02-08-2011
Activity Feed
View All

Re: RFC 5424 and Structured Data with Splunk

by in Splunk Search
‎03-31-2014 11:15 AM
‎03-31-2014 11:15 AM
Consider using the RFC5424 Syslog technical add-on http://apps.splunk.com/app/978/. Sounds like exactly what you are looking for 🙂 caveats from documentation are listed below as of v1.0 of the said app: KNOWN ISSUES/LIMITATIONS - Fields which appear more than once in an event (i.e., field1="value1" field1="value2") will not be evaluated as multi-value fields - Within a structured data block, the SDID is not associated with the local field names; it is simply another multi-value field, "sdid" - The MSG section of the event, if it exists, is not parsed by this app. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM
Karma from
View All