Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I find unique errors from cronjobs sent to syslog?

cwheeler33
Explorer
‎09-14-2018 02:39 PM

I am trying to find all unique messages sent to syslog from specific machines
Splunk 6.6.8

Using the following bash command, I get what I want:

grep -v  "sendmail\|nrpe\|freshclam" /var/log/messages | cut -c27- |sort| uniq -c

The following Splunk search comes close, but cuts out some results:

host="srvr1" OR host="srvr2"  NOT ( sendmail OR nrpe OR freshclam )  | dedup process

As an example, I only get one of these lines instead of all three:

### init: Id "x" respawning too fast: disabled for 5 minutes
### init: Id "y" respawning too fast: disabled for 5 minutes
### init: Id "z" respawning too fast: disabled for 5 minutes

Splunk will only return one of those lines. If I do a general search for the other two errors, they are there in Splunk so they are captured. I tried a dedup on other fields, but so far "process" seems to be the best fit.

Any suggestions?

0 Karma
Reply

renjith_nair
Legend
‎09-14-2018 08:30 PM

@cwheeler33,

Try using substr and then dedup them

For e.g.

host="srvr1" OR host="srvr2"  NOT ( sendmail OR nrpe OR freshclam )  | eval message=substr(_raw,0,50)|table _raw,message|dedup message

You could change the _raw to the filed where you are getting the log messages if any and also change the character length to get sufficient text to decide the duplicates.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...