Rahul Jha

I will check it and get back

Looks like the message format is not as per standard, as we only have limited evidence here i dont want to change the default parser,I am providing you a workaround...

We will check the feasibility in version 3 as we already provided work around for this.

Its mentioned in the issue itself @mattweber78

no this field is coming out of the box , so to stop creating small buckets based on this field the only way i foresee is dropping the field.

Sure , we will keep you posted.

Hi , i reviewed the attached text sample, can you attach pcap/sanitized log after processing it in wireshark, as the documentation claim to have RFC5424 format but the attached log...

@mateuszpierzchala-splunk FYI

We will release it in next major version

i will relook into this.