|
Very new to Splunk and need help. I have close to 20 syslogd/syslog-ng streams coming in on 3 ports: udp/10513, tcp/10514, tcp/10515. Each stream has it's own unique proto/port/priority combination. I'd like to create a field based on these parameters so later I could easily separate these streams for various users in the company. As you probably know, priority is the first number at the beginning of a line, <22> in the line below <22>Dec 9 12:51:44 sendmail[9017]: [ID 801593 mail.info] pB9KpcPT009015 So I was thinking about creating the priority field, and then two more off of it: facility and severity (priority = (facility * 8) + severity). Then I wanted to do some kind of table lookup and create yet another field - log_file_type: I found out about transformers.conf and props.conf and I can only parse out <22> and assign it to the priority filed. The minute I try to do math everything falls apart. I don't really care at this point whether it will be search- or index-time... I was told I better not touch index-time processing. Any help is greatly appreciated! Alex. |
|
Got a semi-satisfactory result with eventtypes.conf [splunk@splunk01 /opt/splunk/etc/system/local]$ cat eventtypes.conf [app on jsp and ejb] search = source="udp:10513" priority>=145 AND priority<152"priority>=145 AND priority<152" is a sucky way of saying facility=18 (or local2). I'd very much prefer to use that, so I'm still looking how to calculate facility and severity. |