Yes, the facility and priority fields are no longer indexed by default as of LI 2.0. Typically, they are not helpful when constructing alerts because searching for error events based on those fields would lead to tons of results. How are you using the fields today? If you need the functionality back, open a support case and GSS can tell you have to enable them again.
Not helpful ? All I can imagine then is that the developers never expected the product to be used how we use it; which I would have thought would be very common.
Logs from switches/routers/firewalls - these types of appliances generate a LOT of syslog, however you're only really interested in warnings and above. Very difficult to filter out all of the informational stuff relying on text field matching. Need priority field back basically.
If they can be re-enabled and you know how to do it, would save me opening a case 😉
cheers
Lee.
Well searching for warning an above is definitely helpful, however you would not alert on warning or higher or you would get a lot of results. I assume you are looking for specific message in priority warning and higher. Is it that what you are looking for in warning and higher also appears below warning? If not, then the priority can be removed from the alert and it will still work.
It is an internal process so unfortunately you would need a support case.
If your question is answered, can you mark it as answered?