Splunk Search

How do I search for multiple errors found in /var/log/messages?

damonmanni
Path Finder

I want to search for the following 3 error combinations and send alert if any, some or all are found:

  1. Error #1 - process=kernel AND the strings "segfault" AND "error" appear
  2. Error #2 - process=abrt AND the string "core dump" appear
  3. Error #3 - process=xinetd AND the strings "EXIT" AND "omni" appear

My search attempt below seems to only find/match and report only Error #3 where I want to show any/all matches in the report.

My Current search is:

host=node-1 OR host=node-2 index=os
(source=/var/log/messages OR source=/var/log/secure sourcetype=syslog OR sourcetype=linux_secure (process=kernel AND segfault AND error) OR (process=abrt AND "core dump") OR (process=xinetd AND "EXIT" AND omni))
| dedup host
|stats count list(process), list(filesystem), list(event_time) by host
|rename host AS "NFS Server", list(process) AS "Failed Process", list(filesystem) AS "Failed Filesystem", count AS "Errors Found", list(event_time) as "Time"
|table "NFS Server", "Failed Process", "Failed Filesystem", "Errors Found", "Time"

All advice appreciated.
cheers,
D

Tags (1)
0 Karma

wildcats12
Explorer

It looks like you're limiting your results to 1 event per host with the dedup before the stats, which may be why you only see 1 error. If you remove that, do you see multiple error conditions by host?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...