topic Re: Can I get search script to filter only errpt errors? in Splunk Search

Can I get search script to filter only errpt errors?

gsrikanth87 — Thu, 05 Feb 2015 21:30:40 GMT

I am getting below output when i am searching in syslog. I want to filter only Error Log messages given below.

search :source="/var/adm/syslog/syslog.log" | multikv |

Time    Event
2/5/15 
4:09:15.000 PM  
Feb  5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test 
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15 
4:09:15.000 PM  
Feb  5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test 
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15 
4:09:03.000 PM  
Feb  5 16:09:03 bhx26 auth|security:debug sshd[14155806]: debug3: fd 8 is O_NONBLOCK
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15 
4:09:03.000 PM  
Feb  5 16:09:03 bhx26 auth|security:debug sshd[14155806]: debug2: fd 11 setting O_NONBLOCK
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15 
4:09:03.000 PM  
Feb  5 16:09:03 bhx26 auth|security:debug sshd[14155806]: debug2: channel 0: rfd 11 isatty

Re: Can I get search script to filter only errpt errors?

David — Fri, 06 Feb 2015 01:48:54 GMT

Can you provide a mockup of what you would like to see?

Re: Can I get search script to filter only errpt errors?

lguinn2 — Fri, 06 Feb 2015 06:42:02 GMT

I think this will be a good start

source="/var/adm/syslog/syslog.log" ERRLOGGER

Re: Can I get search script to filter only errpt errors?

gsrikanth87 — Fri, 06 Feb 2015 14:58:56 GMT

Yes, but I am getting 2 duplicate results for each error,

Time Event
2/5/15
4:09:15.000 PM

Feb 5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2

2/5/15
4:09:15.000 PM

Feb 5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2

Re: Can I get search script to filter only errpt errors?

anilyelmar — Sun, 28 Feb 2016 18:09:29 GMT

its issue with your logging of syslog as its getting re-indexed. You can check inputs and get that fixed though if you want to continue as it is and remove duplicates use : source="/var/adm/syslog/syslog.log" ERRLOGGER | dedup _raw