I have syslog information being sent to my heavy forwarder and I'd like to define a specific translation for one piece of information. The number in the `<>` brackets translates to Error, Warning, Info, Debug, etc.
Jun 28 13:18:14 xxx.xxx.xxx.xxx Jun 28 13:16:44 vThunder a10logd: [SYSTEM]<6> Running co
Jun 28 13:19:00 xxx.xxx.xxx.xxx Jun 28 13:17:31 vThunder a10logd: [SYSTEM]<4> Local auth
Jun 28 13:19:00 xxx.xxx.xxx.xxx Jun 28 13:17:31 vThunder a10logd: [SYSTEM]<5> A web sess
Jun 28 13:19:20 xxx.xxx.xxx.xxx Jun 28 13:17:50 vThunder a10logd: [CFGMGR]<7> Doesn't fi
Jun 28 13:19:20 xxx.xxx.xxx.xxx Jun 28 13:17:50 vThunder a10logd: [VCS]<6> dcs config se
Jun 28 13:19:20 xxx.xxx.xxx.xxx Jun 28 13:17:50 vThunder a10logd: [VCS]<6> dcs config se
Jun 28 13:22:15 xxx.xxx.xxx.xxx Jun 28 13:20:46 vThunder a10logd: [SYSTEM]<5> Session ID
Jun 28 13:22:15 xxx.xxx.xxx.xxx Jun 28 13:20:46 vThunder a10logd: [SYSTEM]<6> Session ti
Jun 28 13:24:09 xxx.xxx.xxx.xxx Jun 28 13:22:39 vThunder a10logd: [SYSTEM]<4> Local auth
Jun 28 13:24:09 xxx.xxx.xxx.xxx Jun 28 13:22:39 vThunder a10logd: [SYSTEM]<5> A web sess
So:
7=Debug
6=Info
5=Warning
4=Error
However, in my searching, I'm not sure the right way to accomplish this.
What I would like in the search is to be able to filter to just the warnings (5), but do it with the word "warning" instead of remembering that number 5 is the warning level.
Is that a new index-time field? Can I just add the field as a lookup to my sourcetype?
↧