I have Splunk set up to monitor syslog on udp 514.
Splunk is receiving event logs from several servers.
When searching for a particular event Splunk finds the event but lumps the display with every event that came in at that second.
Can I somehow get the search results to just show the event I want and not all of the events from the same second?
My search is source="udp:514" "accepted password"
Jun 15 12:18:47 220.127.116.11 2010 Jun 15 11:14:47 OCSBA <50000> Dropped Inbound packet (Custom rule) Src:10.102.1.1 SPort:138 Dst:10.102.255.255 DPort:138 IPP:17 Rule:16 Interface:WAN (Internet)
Jun 15 12:18:49 10.128.213.106 sshd: pam_radius_auth: Got response from RADIUS server
Jun 15 12:18:49 10.128.213.106 sshd: Accepted password for aaxxxx from 10.3.8.196 port 2941 ssh2
Jun 15 12:18:49 10.128.213.106 sshd(pam_unix): session opened for user aaxxxx by (uid=0)
Jun 15 12:18:51 10.128.213.106 sshd(pam_unix): session closed for user aaxxxx
As you can see, the search returns lines other than just the "accepted password" that I am looking for.
Are your log entries all showing up in a single event? I see multiple dates in your sample which makes me think that your event breaking (or line merging) logic is not setup correctly.
Your search would work correctly once you resolve the problem of your events being split incorrectly.
The line breaking logic for this input should work out of the box for syslog entries like this. Can you edit your question to include a copy of your
inputs.conf stanza for
udp:514. Also, what sourcetype is being shown for your event(s)?
Thanks for looking at this.
The events displayed in my original post were 5 events that got lumped together in the search display.
The search results show the date as the beginning of each line, but when I try to paste the events into the question they bunched up and it looks like one wrapped line.
the only thing in the inputs.conf file is
host = servxyz.mycomp.com
I reformatted your question. You can add two spaces to the end of a line to make sure it doesn't wrap; just for future reference. You can also indent each line by 4 spaces for "code" view too. Looks like your problem has been solved, be sure to mark the most helpful answer (green check-mark on the left hand side of the screen.)
The problem is likely due to incorrect line breaking of your source data. As the previous poster has stated, you need to configure this via transforms or props configuration file settings. One quick trick I would suggest, is to set the "sourcetype" as "syslog" when configuring this data as an input. You can do this at the inputs.conf file, or via the GUI when adding your input.
Unfortunately, you cannot alter the already indexed data. If you wanted to the indexed data to show correctly, you would have to remove the data and re-index it with the correct settings.
Aaaahh. Thank you Simeon. You are correct. I went back and changed the sourcetype to syslog and new logs coming in parse just fine.
Thanks for sharing your knowledge.