Hi Splunkers.
A year ago we had a hardware issue that disabled our operation for 24 hours. The VMware vmkernel error looked like this:
2015-11-09T21:55:08.687Z cpu28:37026)MCE: 222: cpu28: bank7: status=0x8c00004000010090: (VAL=1, OVFLW=0, UC=0, EN=0, PCC=0, S=0, AR=0), ECC=no, Addr:0x1425a5200 (valid), Misc:0x42ef6f0000 (valid)
Now that we have Splunk, I am trying to set up a search that would specifically track these errors. I want the date/time, the CPU, and keyword "MCE"
I borrowed and modified a search from the VMware app that looks like this
sourcetype=vmware:esxlog:vmkernel * * * * * * * | head 10000 | rex field=sourcetype "^vmware:esxlog:(?.+)$" | rex field=Message "^(?:[^ \n]* ){7}(?P[^\)]+)\)(?P.+)" | eval Time=_time | convert ctime(Time) | table Time, host, CPU, CPU_Message | Rename host as Host, CPU_Message as "Message (if any)"
My first question is, what are all those * for? I know that an * is a wildcard, but for the VMware app, what does the multiple *'s do?
For the two rex fields, I used the field extractor and extracted the `cpu28:37026` part from the above log, but I also want the `MCE: ` part.
My search mostly works. I am getting the time, host, that CPU field, and then a message that doesn't usually contain the MCE errors (or anything useful). How do I make it show `time, host, CPU` And then either an MCE or MCA error, *but only if an MCE or MCA error exists*.
Thanks in advance!
↧