Hi
I'm running Splunk 5.0.4. In the environment I have 2 servers
deploy/heavy forwarder
Search head/indexer.
On the heavy forwarder I have setup the listener for syslog udp:514
C:\Program Files\Splunk\etc\system\local\inputs.conf
[udp://514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
This is working and forwarding on the syslog events to the indexer and the syslog code is being included but the timestamp is still being included also eg -
<189>: 2016 Mar 17 09:08:18.325 gmt
What I want to do is use the syslog code <189> to do a lookup against a csv to find the matching facility and severity and have the 2 values included as indexed fields within Splunk indexer.
I have atempted to do this by including the following on the Heavy Forwarder (Is this the correct place and server??)
C:\Program Files\Splunk\etc\apps\Aggregator_f\local\props.conf
[source::udp:514]
EXTRACT-extractSyslogcode = (?i)^<(?P<syslog_code>[^>]+)
LOOKUP-SyslogCode = syslog_facility_severity_codes code AS syslog_code OUTPUTNEW facility AS sys_facility, severity AS sys_severity
C:\Program Files\Splunk\etc\apps\Aggregator_f\local\transforms.conf
[syslog_facility_severity_codes]
filename = syslog-codes.csv
The csv file for the lookup is located in
C:\Program Files\Splunk\etc\apps\Health_Aggregator_f\lookups\syslog-codes.csv
If anyone can provide any assistance with this it would be greatly received.
thanks
Steve
... View more