I am trying to find all unique messages sent to syslog from specific machines
Splunk 6.6.8
Using the following bash command, I get what I want:
grep -v "sendmail\|nrpe\|freshclam" /var/log/messages | cut -c27- |sort| uniq -c
The following Splunk search comes close, but cuts out some results:
host="srvr1" OR host="srvr2" NOT ( sendmail OR nrpe OR freshclam ) | dedup process
As an example, I only get one of these lines instead of all three:
### init: Id "x" respawning too fast: disabled for 5 minutes
### init: Id "y" respawning too fast: disabled for 5 minutes
### init: Id "z" respawning too fast: disabled for 5 minutes
Splunk will only return one of those lines. If I do a general search for the other two errors, they are there in Splunk so they are captured. I tried a dedup
on other fields, but so far "process" seems to be the best fit.
Any suggestions?
@cwheeler33,
Try using substr
and then dedup them
For e.g.
host="srvr1" OR host="srvr2" NOT ( sendmail OR nrpe OR freshclam ) | eval message=substr(_raw,0,50)|table _raw,message|dedup message
You could change the _raw
to the filed where you are getting the log messages if any and also change the character length to get sufficient text to decide the duplicates.