If I log into the Linux system in question and go to the log area /var/log/illumio-pce/agent_traffic.log
type grep blocked/potentially blocked
I get information back
When I go into SPLUNK and make the following search
index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log" host="*" sourcetype=agent_traffic
Information appears, but I do not see anything with the work Blocks or blocked/potentially blocked
index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log" host="*" sourcetype=agent_traffic blocked/potentially blocked
NOTHING comes back?
Need someone to explain to me what is wrong with my search
Do you see events if you just run index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log"
What about if you add *block*
to the search.
Splunk will look for exact string matches, so if you are not sure exactly how the events will occur, you can use the *something*
approach to see if you get a "really wild" match.
*.*
searches are generally very poor performing, so once you have identified how the the exact pattern is represented in the Splunk events, you should amend your serach to use that format over *.*
Do you see events if you just run index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log"
What about if you add *block*
to the search.
Splunk will look for exact string matches, so if you are not sure exactly how the events will occur, you can use the *something*
approach to see if you get a "really wild" match.
*.*
searches are generally very poor performing, so once you have identified how the the exact pattern is represented in the Splunk events, you should amend your serach to use that format over *.*
yes, I do see events
Ok, I was just ruling out a sourcetype problem. What about if you add *block*
to the search.
I added that and increased the timeout to 24 hours, BOOM that worked!!!!
YEAH!!!
thanks
Great.
I have converted my comment to an answer and added a bit more context. If you're happy, please accept my answer, and upvote. Good luck!