Hi, I'm collecting syslog events from network to a dedicated universal forwarder using a TCP input on forwarder. In my Splunk installation I get all the syslog entries, but there's a number in angled brackets (<149>, for example) added to the beginning of every log entry added to Splunk index. That number is not always <149>, it changes, but I cannot find the logic behind those changes. That angled bracketed number does not allow to implement correct field extraction. So my question is: how do I get rid of that number in angled brackets? Shall it be done on forwarder? I'm sorry if my question is stupid, or is well-covered in documentation, I'm relatively new to Splunk and learning now. Thank you!
... View more