Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I search for multiple errors found in /var/log/messages?

damonmanni
Path Finder
‎05-07-2018 02:16 PM

I want to search for the following 3 error combinations and send alert if any, some or all are found:

  1. Error #1 - process=kernel AND the strings "segfault" AND "error" appear
  2. Error #2 - process=abrt AND the string "core dump" appear
  3. Error #3 - process=xinetd AND the strings "EXIT" AND "omni" appear

My search attempt below seems to only find/match and report only Error #3 where I want to show any/all matches in the report.

My Current search is:

host=node-1 OR host=node-2 index=os
(source=/var/log/messages OR source=/var/log/secure sourcetype=syslog OR sourcetype=linux_secure (process=kernel AND segfault AND error) OR (process=abrt AND "core dump") OR (process=xinetd AND "EXIT" AND omni))
| dedup host
|stats count list(process), list(filesystem), list(event_time) by host
|rename host AS "NFS Server", list(process) AS "Failed Process", list(filesystem) AS "Failed Filesystem", count AS "Errors Found", list(event_time) as "Time"
|table "NFS Server", "Failed Process", "Failed Filesystem", "Errors Found", "Time"

All advice appreciated.
cheers,
D

Tags (1)
0 Karma
Reply

wildcats12
Explorer
‎05-15-2018 09:24 PM

It looks like you're limiting your results to 1 event per host with the dedup before the stats, which may be why you only see 1 error. If you remove that, do you see multiple error conditions by host?

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...