I am getting below output when i am searching in syslog. I want to filter only Error Log messages given below.
search :source="/var/adm/syslog/syslog.log" | multikv |
Time Event
2/5/15
4:09:15.000 PM
Feb 5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15
4:09:15.000 PM
Feb 5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15
4:09:03.000 PM
Feb 5 16:09:03 bhx26 auth|security:debug sshd[14155806]: debug3: fd 8 is O_NONBLOCK
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15
4:09:03.000 PM
Feb 5 16:09:03 bhx26 auth|security:debug sshd[14155806]: debug2: fd 11 setting O_NONBLOCK
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15
4:09:03.000 PM
Feb 5 16:09:03 bhx26 auth|security:debug sshd[14155806]: debug2: channel 0: rfd 11 isatty
its issue with your logging of syslog as its getting re-indexed. You can check inputs and get that fixed though if you want to continue as it is and remove duplicates use : source="/var/adm/syslog/syslog.log" ERRLOGGER | dedup _raw
I think this will be a good start
source="/var/adm/syslog/syslog.log" ERRLOGGER
Yes, but I am getting 2 duplicate results for each error,
Time Event
2/5/15
4:09:15.000 PM
Feb 5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15
4:09:15.000 PM
Feb 5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
Can you provide a mockup of what you would like to see?