Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pull out blocked connections from illumio within our Unix/Linux environment?

jshekell
Explorer
‎03-13-2019 07:18 AM

If I log into the Linux system in question and go to the log area /var/log/illumio-pce/agent_traffic.log
type grep blocked/potentially blocked
I get information back

When I go into SPLUNK and make the following search

index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log" host="*" sourcetype=agent_traffic

Information appears, but I do not see anything with the work Blocks or blocked/potentially blocked

index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log" host="*" sourcetype=agent_traffic blocked/potentially blocked

NOTHING comes back?

Need someone to explain to me what is wrong with my search

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-13-2019 07:36 AM

Do you see events if you just run index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log"

What about if you add *block* to the search.

Splunk will look for exact string matches, so if you are not sure exactly how the events will occur, you can use the *something* approach to see if you get a "really wild" match.
*.* searches are generally very poor performing, so once you have identified how the the exact pattern is represented in the Splunk events, you should amend your serach to use that format over *.*

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-13-2019 07:36 AM

Do you see events if you just run index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log"

What about if you add *block* to the search.

Splunk will look for exact string matches, so if you are not sure exactly how the events will occur, you can use the *something* approach to see if you get a "really wild" match.
*.* searches are generally very poor performing, so once you have identified how the the exact pattern is represented in the Splunk events, you should amend your serach to use that format over *.*

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

jshekell
Explorer
‎03-13-2019 07:56 AM

yes, I do see events

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-13-2019 08:00 AM

Ok, I was just ruling out a sourcetype problem. What about if you add *block* to the search.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

jshekell
Explorer
‎03-13-2019 08:11 AM

I added that and increased the timeout to 24 hours, BOOM that worked!!!!

YEAH!!!
thanks

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-13-2019 08:18 AM

Great.
I have converted my comment to an answer and added a bit more context. If you're happy, please accept my answer, and upvote. Good luck!

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...