I have a question similar to:
https://answers.splunk.com/answers/2602
and
https://answers.splunk.com/answers/448796
I would like to get a search match (for which I define a field) and also search the subsequent daemon log for another search. If the second search repeats x count, then save this field as an Error; otherwise (if search contains < x count but > 0), it's a Warning. If the next line does not contain an Error or a Warning, then it’s a Pass.
The daemon is [atftpd][1] and its logs of interest are:
Sep 25 10:58:07 caffeine atftpd[6596]: Serving kernels/vmlinuz to IP:1668
Sep 25 10:58:07 caffeine atftpd[6596]: Serving kernels/vmlinuz to IP:1669
Sep 25 10:58:23 caffeine atftpd[6596]: timeout: retrying...
Sep 25 10:58:28 caffeine atftpd[6596]: timeout: retrying...
Sep 25 10:58:33 caffeine atftpd[6596]: timeout: retrying...
Sep 25 10:58:38 caffeine atftpd[6596]: timeout: retrying...
Sep 25 10:58:43 caffeine atftpd[6596]: timeout: retrying...
Sep 25 11:08:07 caffeine atftpd[6596]: Serving kernels/vmlinuz to anotherIP:1211
There is a deterministic pattern to the [0-9]*.[0-9]*.[0-9]*.[0-9]*)" | rex field=_raw ".* (?timeout).*" | transaction endswith=(: timeout: retrying...) maxcount=5
I would have assumed that maxcount=5 gave the count of the transaction search match, not the total line count of the previous search.
[1]: https://linux.die.net/man/8/atftpd
timeout: retrying... entries (every 5 seconds) and also a configurable count (5).
So if I see a Serving... line followed by exactly 5 retrying... I know for sure it's a failure.
My search so far saves the IPs and the errors in some fields, but the transaction facility in Splunk returns only the first hit of "timeout":
sourcetype=syslog AND atftpd AND caffeine | rex field=_raw "Serving.* to (?
