Closed Adpafer closed 6 months ago
Hello, @Adpafer !
In your message:
<30>Dec 20 08:35:26 linuxPC dbus-daemon[533]: [system] Successfully activated service 'net.reactivated.Fprint'
That part that you mentioned its a message header accroding to RFC:
<30>Dec 20 08:35:26 linuxPC
(<PRI> DATETIME HOSTNAME
). the next thing it's a message body - dbus-daemon[533]: [system] Successfully activated service 'net.reactivated.Fprint'
We parsing this header and saving this header to varibles (highlighted on screenshot) and you can make a search by this variables (example message on screenshot):
But original message you can find in our tests, it's also containing <PRI> DATETIME HOSTNAME
P.S. If you really want add this info to Splunk then you can use for you custom parser t_everything
instead of t_msg_only
.
P.P.S. It's not a bug it's seems that I need to close it. Please let me know, if something unclear
Detailed answer here. It seems that we don't need fix it. No reaction of the customer, closing.
Hello,
I have rsyslog configured on my linuxPC that sends logs to SC4S and then SC4S forwards these logs to a given index. Logs received by SC4S look like this example:
<30>Dec 20 08:35:26 linuxPC dbus-daemon[533]: [system] Successfully activated service 'net.reactivated.Fprint' but when SC4S forwards them to Splunk, Splunk receives them with no date, time and host name: dbus-daemon[533]: [system] Successfully activated service 'net.reactivated.Fprint' Is there any way Splunk can receive the same log ? thanks for help, regards, pawelF