However this search doesn't run because of the following error: Error in 'IndexScopedSearch': The search failed. I tried the search that you indicated : source=unknown | stats count by host, sourcetype, index | sort -count As Lowell indicated, i am a bit doubtful this would solve the problem. I could give hardcoding the timestamp a try, although its surprising that the sourcetype as standard as cisco syslog with clear timestamps is not getting timestamped properly (the prblem is evident only with events that is displaying source=unknown). Would you have an idea of why this is happening. And at this particular time (wronlgy picked time) there are lots of events (as the wrongly picked events are timestamped at one particular time).
On further investigation of the source=unknown, I noticed that the timestamps are actually not picked correctly from the events for all the events that are showing source=unknown. This is important as sometimes we search by 'source'. There is not any file or directory called unknown. As I am indexing the data, I notice that apart from the 'sources' that are appearing correctly (/var/log/filename.gz | 38,219 ), there is one source coming up as 'unknown' (unknown | 109,368,099).
0 kommentar(er)
