LogUsage data source
Hello, We are having all our devices sending syslog to LM collector. Via LogUsage data source, we can monitor if the device sends syslog data or no. But the threshold to alarm on that is only 60 minutes. We would like to make the threshold longer like 1 or 2 days because some devices are quieter than others, and we want to control if we missed to configure syslog on one of the devices or it doesn't send syslog anymore due to any reason. So, i contacted LM support, they said it would be custom datasource. Any help with how to achieve that?
Parse syslog facility and priority
Syslog that adheres to the standard format that has been around for decades prefixes the message with a number between greater than and less than symbols. For example: That value is the result of combining two different numbers: facility and priority. We can decode this facility and priority number pretty easily. Let’s take 164 for example: 164 in binary is “1010 0100”. The facility is extracted by taking the first 5 digits of 164 in binary, “10100” and converting to decimal, 20. Looking that up in a standard table, we can see that 20 corresponds to a facility of local4. The priority is extracted by taking the last 3 digits of 164 in binary, “100” and converting to decimal, 4. Looking that up in a standard table, we can see that 4 corresponds to a priority of Warning. LM Logs has the ability to extract this number from the log message. It’s pretty easy since all you do is pipe the search query into the parse operator: This puts the number into its own column, in this case called severity. What I’d like to do is: Take the value in the severity column and convert it to binary. Then take the first 5 digits and convert to decimal and show that as a separate field on the log. Take the value in the severity column and convert it to binary. Then take the last 3 digits and convert to decimal and show that as a separate field on the log. I’d love the ability to embed the mapping found in the standard table so that instead of displaying the number it displayed the name of the facility and priority. Since pretty much all Syslog follows this format and uses the standard table, it might be worth it for LM to build this kind of capability into LM Logs if it doesn’t exist today. All customers who do syslog streaming into LM Logs would benefit from having the facility and priority parsed out into human readable words. What I’m thinking is a couple of new operators in the query language: dec_to_bin(x) - converts a decimal number (x) to binary bin_to_dec(x) - converts a binary number (x) to decimal left(myStr, x) - grabs a specified number of characters (x) from the left part of a string (myStr) right(myStr, x) - grabs a specified number of characters (x) from the right part of a string (myStr) mid(myStr, x, y) - grabs a specified number of characters (y) from a string (myStr) starting at a certain character index (x) str(x) - converts an object (x) into a string so that it can be used as an argument in left, right, mid functions lookup(x, myDictionary) - looks up a value (x) in the keys of a dictionary (myDictionary) and returns the value of the dictionary entry Alternatively, or in addition: parse_facility(msg) - extracts the facility and returns the human readable facility name (basically doing in one step what I’d do manually with the functions above) parse_priority(msg) - extracts the priority and returns the human readable priority name (basically doing in one step what I'd do manually with the functions above)