InsightOps will automatically parse and index fields within your Syslog data. Keys are automatically highlighted and clickable. Clicking on a field will populate the search bar to allow for quick searching of across your data.
If we take a normal Syslog example in this format:
<165>1 Feb 22 17:16:34 test-VirtualBox kernel:  Accidentally deleted folder=system32
We know that the format of Syslog access logs are:
*pri* *version* *timestamp* *hostname* *appname* *procid*
And you'll be able to parse those implied keys immediately for groupby queries and calculations. So from the example above:
Feb 22 17:16:34
Using this data allows easier log searching. For example you can now complete queries such as:
Look for a hostname with:
See what appnames are used most often with:
groupby(appname) calculate(count) sort(desc)
Having trouble with Syslog parsing?
Confirm that the data is RFC 5424 compliant and has a syslog header.