How do I search for multiple errors found in /var/...

damonmanni · ‎05-07-2018

I want to search for the following 3 error combinations and send alert if any, some or all are found:

Error #1 - process=kernel AND the strings "segfault" AND "error" appear
Error #2 - process=abrt AND the string "core dump" appear
Error #3 - process=xinetd AND the strings "EXIT" AND "omni" appear

My search attempt below seems to only find/match and report only Error #3 where I want to show any/all matches in the report.

My Current search is:

host=node-1 OR host=node-2 index=os
(source=/var/log/messages OR source=/var/log/secure sourcetype=syslog OR sourcetype=linux_secure (process=kernel AND segfault AND error) OR (process=abrt AND "core dump") OR (process=xinetd AND "EXIT" AND omni))
| dedup host
|stats count list(process), list(filesystem), list(event_time) by host
|rename host AS "NFS Server", list(process) AS "Failed Process", list(filesystem) AS "Failed Filesystem", count AS "Errors Found", list(event_time) as "Time"
|table "NFS Server", "Failed Process", "Failed Filesystem", "Errors Found", "Time"

All advice appreciated.
cheers,
D

wildcats12 · ‎05-15-2018

It looks like you're limiting your results to 1 event per host with the dedup before the stats, which may be why you only see 1 error. If you remove that, do you see multiple error conditions by host?

How do I search for multiple errors found in /var/log/messages?

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!