Version 1.1 adds the ability to handle messages formatted according to RFC 6587.
This is an Add-On for syslog data formatted according to the RFC 5424 or RFC 6587 specifications.
Set sourcetype="rfc5424_syslog" for all RFC5424 data inputs. This app includes
index-time transformations for the "host" field, so should be in place BEFORE
data is indexed.
The following fields are extracted:
prival - This integer encodes the syslog facility and severity. Use the convert_facility_severity macro, described below, to decode the facility and severity fields.
appname - The field APP-NAME described in RFC5424
procid - The field PROCID described in RFC5424
msgid - The field MSGID described in RFC5424
host - The field HOSTNAME described in RFC5424. NOTE: This field is an index-time transformation
Within a structured data element (i.e., [...]), the following fields are extracted:
sdid - The field SD-ID described in RFC5424. This field is evaluated as a multi-value field.
key/value pairs - All KV pairs (i.e., field1="value1") are extracted, but are not evaluated as multi-value pairs.
To extract the FACILITY and SEVERITY values from the PRIVAL value:
sourcetype="rfc5424_syslog" | `convert_facility_severity`
To convert FACILITY values into text descriptions:
sourcetype="rfc5424_syslog" | `convert_facility_severity` | lookup facility_lookup facility
To convert SEVERITY values into text descriptions:
sourcetype="rfc5424_syslog" | `convert_facility_severity` | lookup severity_lookup severity
Version 1.1 adds the ability to handle messages formatted according to RFC 6587.
Initial release.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.