Hello all,
I have a few queries giving me some trouble and am having some trouble finding some documentation so am hoping someone out there can give me some assistance. It seems like it should be simple but I have gone through all the forums and can't really find what I am looking for. Looking online helps a bit but the documentation is so scattered and everyone is doing something different and it is confusing me more. The tutorials on here unfort don't go deep enough for what I am trying to do.
Also sorry all if this is noob question. I have no problem reading manuals so if you have links that will help please feel free to send them my way.
I am using Kibana 3 and we are using it to monitor our Router logs. I have taken this task over from someone who left our company so am trying figure out the query structure. Is it Regex based?
Here is the thing I am struggling with.
We have multiple different routers in different locations around the globe. They all have a interface Bundle-Ether301. These interface have multiple different sub-interface that range from 301.100 to .1500.
The first thing I want to focus on is I cannot get the log lines for ONLY the 301 sub-interfaces to hit.
The best I can do is to only show the logs for that exact specific interface event. Below is the query that brings me the closest results. This however only returns events for the Bundle-Ether301 and not the subinterfaces
_type:routerlog (a1 OR a2) AND message:("Bundle-Ether301*")
Here is a quick snippet of the log line that it returns.
Line protocol on Interface Bundle-Ether301, changed state to Down
Here is what I am trying to match on
Interface Bundle-Ether301.4053, changed state to Up
If any Bundle-Ether301.xxx hits I want to log it.
If I specify the subinterface then it works,
_type:routerlog (a1 OR a2) AND message:("Bundle-Ether301.1128")
But I can't make a query for every subinterface.
Also as soon I try to end on period after the 301. in the search, the search returns every Bundle-Ether (Including non 301)
_type:routerlog (a1 OR a2) AND message:("Bundle-Ether301.*")
Is there a rule in Kibana about ending on period? What are the rules for using parentheses, quotes?
Once again please feel free to send me links to read up on.
Thanks in advance