Re: Can I get search script to filter only errpt e...

gsrikanth87 · ‎02-05-2015

I am getting below output when i am searching in syslog. I want to filter only Error Log messages given below.

search :source="/var/adm/syslog/syslog.log" | multikv |

Time    Event
2/5/15 
4:09:15.000 PM  
Feb  5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test 
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15 
4:09:15.000 PM  
Feb  5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test 
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15 
4:09:03.000 PM  
Feb  5 16:09:03 bhx26 auth|security:debug sshd[14155806]: debug3: fd 8 is O_NONBLOCK
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15 
4:09:03.000 PM  
Feb  5 16:09:03 bhx26 auth|security:debug sshd[14155806]: debug2: fd 11 setting O_NONBLOCK
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2
2/5/15 
4:09:03.000 PM  
Feb  5 16:09:03 bhx26 auth|security:debug sshd[14155806]: debug2: channel 0: rfd 11 isatty

anilyelmar · ‎02-28-2016

its issue with your logging of syslog as its getting re-indexed. You can check inputs and get that fixed though if you want to continue as it is and remove duplicates use : source="/var/adm/syslog/syslog.log" ERRLOGGER | dedup _raw

lguinn2 · ‎02-05-2015

I think this will be a good start

source="/var/adm/syslog/syslog.log" ERRLOGGER

gsrikanth87 · ‎02-06-2015

Yes, but I am getting 2 duplicate results for each error,

Time Event
2/5/15
4:09:15.000 PM

Feb 5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2

2/5/15
4:09:15.000 PM

Feb 5 16:09:15 bhx26 user:notice root: Msg from Error Log: --------------------------------------------------------------------------- LABEL: OPMSG IDENTIFIER: AA8AB241 Date/Time: Thu Feb 5 16:09:15 EST 2015 Sequence Number: 387 Machine Id: 00C463C74C00 Node Id: bhx26 Class: O Type: TEMP WPAR: Global Resource Name: OPERATOR Description OPERATOR NOTIFICATION User Causes ERRLOGGER COMMAND Recommended Actions REVIEW DETAILED DATA Detail Data MESSAGE FROM ERRLOGGER COMMAND this is a test
host = Host name source = /var/adm/syslog/syslog.log sourcetype = syslog-2

David · ‎02-05-2015

Can you provide a mockup of what you would like to see?

Can I get search script to filter only errpt errors?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...