Splunk Search

Can I get search script to filter only errpt errors?

gsrikanth87
Path Finder

I am getting below output when i am searching in syslog. I want to filter only Error Log messages given below.

search :source="/var/adm/syslog/syslog.log" | multikv |

Time    Event
2/5/15 
4:09:15.000 PM  
Feb  5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test 
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15 
4:09:15.000 PM  
Feb  5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test 
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15 
4:09:03.000 PM  
Feb  5 16:09:03 bhx26 auth|security:debug sshd[14155806]: debug3: fd 8 is O_NONBLOCK
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15 
4:09:03.000 PM  
Feb  5 16:09:03 bhx26 auth|security:debug sshd[14155806]: debug2: fd 11 setting O_NONBLOCK
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15 
4:09:03.000 PM  
Feb  5 16:09:03 bhx26 auth|security:debug sshd[14155806]: debug2: channel 0: rfd 11 isatty
0 Karma

anilyelmar
Explorer

its issue with your logging of syslog as its getting re-indexed. You can check inputs and get that fixed though if you want to continue as it is and remove duplicates use : source="/var/adm/syslog/syslog.log" ERRLOGGER | dedup _raw

0 Karma

lguinn2
Legend

I think this will be a good start

source="/var/adm/syslog/syslog.log" ERRLOGGER
0 Karma

gsrikanth87
Path Finder

Yes, but I am getting 2 duplicate results for each error,

Time Event
2/5/15
4:09:15.000 PM

Feb 5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2

2/5/15
4:09:15.000 PM

Feb 5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2

0 Karma

David
Splunk Employee
Splunk Employee

Can you provide a mockup of what you would like to see?

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...