When Solace sylogs are forwared to Splunk, sometimes they may appear as numbers such as <142>, <166>, etc. instead of familiar "INFO", "WARNING". This is beacause Splunk displays the codes as is without expanding them. These mappings are defined in RFC 5424 if you are really curious.
Splunk supports lookup tables that can be used to remap these fields. This is a 3 step process.
- Extract existing numeric code to a field using field extraction. eg: priority
- Upload mapping csv file as Lookup table.
- Verify its working with the following search.
| inputlookup solace-priority.csv
- Remap and create new field with string values eg: severity.
- Verify this extracts new field with
source="solace-event" index="solace" sourcetype="syslog" | lookup solace-priority.csv priority OUTPUT severity
You can use the script mk-syslog-priority-map.py to generate the datafile afresh or grab it from solace_priority.csv
Pl see docs folder for additional help.
Ramesh Natarajan (nram), Solace PSG