Splunk Search

searching on syslog messages

a212830
Champion

I am testing out replacing LogLogic with Splunk. Right now, we have forwarded the LogLogic messages to a splunk forwarder, just so we can begin to see them. The messages are being received as syslog and appearing, but I'm having a hard time separating these messages from other ones. The LogLogic sends a ton of syslog, with many different hosts, and I have other syslog messages coming in to this server. I want to look at just the messages coming in from the LogLogic device, but I can't think of any easy way to do this - suggestions?

Tags (2)
0 Karma

tfletcher_splun
Splunk Employee
Splunk Employee

You should probably have the logs coming in such that the host field of the log corresponds to the host it belongs to. But if you want to make it work in this set up you should use a field extraction to get the data somehow. This can be tested with a search command such as rex, but eventually you'd want to store the extraction in your configuration files so that it becomes automatic. Post some sample events and I'll help you with the extraction. Until then take a look at these:

Extracting Fields with a search command

More general overview of all the ways of extracting fields

Once you have the fields extracted you can enter a search command as simple as:

server="webserver-production-01"

Or get more than one at the same time with wildcarded syntax:

server="webserver-production-*"

Happy Splunking!

0 Karma

Ayn
Legend

Well, the host field would be an ideal candidate, no? What are you currently getting as 'host'? The LogLogic host? You could easily write a transform that grabs the original hostname if it is present in the syslog data.

0 Karma

a212830
Champion

The question is more around searching for multiple devices. I really haven't been able to get an answer on this - I have lots of messages coming in from syslog, from hundreds of devices. Some of them need to be categorized one way, some another, so that they are easily reportable and searchable - how would I do that, without having to tag, or hardcode hosts in a conf file. I

0 Karma

tfletcher_splun
Splunk Employee
Splunk Employee

If you are looking for the events from a specific feed that is the exact purpose of the source field. It should be set to the "source" of your data.

0 Karma

a212830
Champion

There are too many devices coming in to handle using an extraction. I'm not looking for specific devices in this case - I want a way to show all the messages coming from this specific feed - without having to do specific searches for names and such.

0 Karma

chris
Motivator

All the LogLogic messages are from one Server right? You can just select the host from the fields that splunk extracts by default. In the screenshot 2 servers are sending data to splunk. If I misunderstood you the rex command might help you extract the host field for you. If you post some sample events I (or someone else) can help you.

Selecting a host

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...