Hello,
In my environment I have a setup of two heavy forwarders forwarding to a set of clustered indexers.
I want those forwarders to receive syslog, and depending on the facility/severity the incoming data should be forwarded to different indexes.
To get the syslog facility/severity, I want to do a lookup for the priority I receive in the event. To do that lookup, I figured I need a named field for the priority.
So I created an app for those forwarders with the following:
props.conf:
[generic_syslog]
EXTRACT-extract_syslog_priority = ^<(?\d+)>
LOOKUP-lookup_syslog_priority = syslog_priority_lookup syslog_priority OUTPUTNEW syslog_facility, syslog_severity
transforms.conf
[syslog_priority_lookup]
filename = syslog_priorities.csv
However, above config does not seem to work. The indexed events have no fields as "syslog_priority", nor "syslog_facility" or the severity.
What am I getting wrong here?
↧