- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Source type for dmesg log file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Source type for dmesg log file
I was wondering if anyone had a good solution for a proper source type for dmesg? Or failing that some way of handling the fact it is different than most other logs in that entries aren't always single lines, and the timestamps are relative to system boot. That makes it difficult for the indexers to assign a time stamp for the entries.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A Forwarder can't read dmesg command outputs. It will be directly monitoring /var/log/dmesg which doesn't contain time stamps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's true!
If the UF runs as root you can get continuous dmesg output using scripting input.
I hope somebody can provide a solution to calculate a correct timestamp (if it is relevant).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @scottj1y ,
- entries aren't always single lines - no problem with splunk, just set properly SHOULD_LINEMERGE=false and LINE_BREAKER/TIME_FORMAT
- the timestamps are relative to system boot - use one of following to get human readable timestamp:
T + x switches:
switch -x - Decode facility and level (priority) number to human readable prefixes.
switch -T - Print human readable timestamps. The timestamp could be inaccurate!
[root@linux ~]# dmesg -x -T|head
kern :notice: [Fri Mar 27 14:42:48 2020] Linux version 4.19.94-2.xxxx
kern :info : [Fri Mar 27 14:42:48 2020] Command line: BOOT_IMAGE=/boot/vmlinuz-4.19.94-2.xxxxx
kern :info : [Fri Mar 27 14:42:48 2020] KERNEL supported cpus:
kern :info : [Fri Mar 27 14:42:48 2020] Intel GenuineIntel
kern :info : [Fri Mar 27 14:42:48 2020] AMD AuthenticAMD
kern :info : [Fri Mar 27 14:42:48 2020] Centaur CentaurHauls
kern :info : [Fri Mar 27 14:42:48 2020] Disabled fast string operations
kern :info : [Fri Mar 27 14:42:48 2020] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
with -T only:
[root@mwg42 ~]# dmesg -T|head
[Fri Mar 27 14:42:49 2020] Linux version 4.19.94-2.xxxx
[Fri Mar 27 14:42:49 2020] Command line: BOOT_IMAGE=xxxx
[Fri Mar 27 14:42:49 2020] KERNEL supported cpus:
[Fri Mar 27 14:42:49 2020] Intel GenuineIntel
[Fri Mar 27 14:42:49 2020] AMD AuthenticAMD
[Fri Mar 27 14:42:49 2020] Centaur CentaurHauls
[Fri Mar 27 14:42:49 2020] Disabled fast string operations
[Fri Mar 27 14:42:49 2020] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
indeed, the dmesg can contain a lot of different log formats, it is difficult to pick one right sourcetype. What about "dmesg"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this for manually executed dmesg commands? If so, then you can just default to "now" as the event _time, and it would be fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, this is for continuous monitoring like any other log file.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
