http://www.splunk.com/support/forum:SplunkAdministration/2846 Sun, 21 Mar 2010 15:41:55 PDT Sun, 21 Mar 2010 15:41:55 PDT en-us http://creativecommons.org/licenses/by-nc-nd/2.5/ http://www.splunk.com/support/forum:SplunkAdministration/2846/9106 <p>Per <a href="http://www.splunk.com/base/Documentation/latest/Admin/NetworkPorts#inputs.conf">http://www.splunk.com/base/Documentation/latest/Admin/NetworkPorts#inputs.conf</a>:</p> <p>no_priority_stripping = true | false</p> <p>* If this attribute is set to true, then Splunk does NOT strip the &lt;priority&gt; syslog field from received events.<br /> * Otherwise, Splunk strips syslog priority from events.</p> <p>no_appending_timestamp = true</p> <p>* If this attribute is set to true, then Splunk does NOT append a timestamp and host to received events.<br /> * Note: Do NOT include this key at all if you want to append timestamp and host to received events.</p> <p>linux-messages-syslog sourcetype tells splunk to do the following processing ($SPLUNK_HOME/etc/system/default/props.conf):</p> <p>[linux_messages_syslog]<br /> pulldown_type = true <br /> MAX_TIMESTAMP_LOOKAHEAD = 32<br /> TIME_FORMAT = %b %d %H:%M:%S<br /> TRANSFORMS = syslog-host<br /> REPORT-syslog = syslog-extractions<br /> SHOULD_LINEMERGE = False</p> Fri, 12 Jun 2009 10:10:45 PDT araitz http://www.splunk.com/support/forum:SplunkAdministration/2846/9106 http://www.splunk.com/support/forum:SplunkAdministration/2846/9098 <p>Hi,</p> <p>We have started some practical work with evaluating Splunk (3.4.10) and I have questions regarding details.</p> <p>1: Splunk tcp input from Linux syslog clients compared with udp input yields different output:</p> <p>tcp:<br /> &lt;83&gt;Jun 5 10:34:37 uo000156 agetty[26028]: /dev/xvc0: No such file or directory<br /> udp:<br /> Jun 1 11:05:51 up000073.abrakdabra.com Jun 1 11:05:51 up000073 syslog-ng[19358]: SIGHUP received, restarting syslog-ng</p> <p>Furthermore when loading syslog input from Juniper Netscreen to the tcp listener there is no recognition of messages start and stop, they are auto truncated (by length I assume) and what should be separate messages are presented as one which can be truncated and continue in the next message. Sending data to the udp listener yields more &quot;normal&quot; output with messages separated as they should. I found a Netscreen application , downloaded, installed and enabled it, but could not notice any differences. Probably because I have not yet realized what configration entries that should be changed.</p> <p>I have looked at <a href="http://interop.demo.splunk.com/" onclick="window.open(this.href, '_blank'); return false;">http://interop.demo.splunk.com/</a> (Splunk 3.4.5) and this site does not display tcp input with the pri field. There is also data from Juniper Netscreen via tcp and this information is presented nicely and what you would expect as normal output.</p> <p>Is this difference between tcp and udp input considered as normal ? I assume that there might be some additional configuration to accomplish the same result as from the demo site ( <a href="http://interop.demo.splunk.com/" onclick="window.open(this.href, '_blank'); return false;">http://interop.demo.splunk.com/</a>). Is there any way to get information and/or config files regarding this ?</p> <p>2: What is the practical difference when selecting linux-messages-syslog compared with syslog when specifying source type ?</p> <p>linux-messages-syslog:<br /> &lt;4&gt;May 29 17:45:35 up000073 kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:01:30:5f:c9:00:08:00 SRC=107.21.24.251 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=42110 PROTO=2</p> <p>syslog:<br /> &lt;83&gt;Jun 5 10:34:37 uo000156 agetty[26028]: /dev/xvc0: No such file or directory<br /> </p> <p>BR,<br /> Anders</p> Fri, 12 Jun 2009 07:23:21 PDT anderss http://www.splunk.com/support/forum:SplunkAdministration/2846/9098