Trunc offers a robust search capability that allows you to parse and analyze data from various log sources, making it easier to work with your logs. This guide will walk you through how to effectively use Trunc’s search functionality to get the most out of your data.
Trunc Search Dashboard Overview
This article will show you how to work with the Trunc search in the platform.
Configure Trunc Notifications
The Trunc search engine uses a simple and intuitive query language, allowing you to quickly extract the information you need. You can use standard operators like AND and OR to refine your searches. Additionally, Trunc provides specific keywords for narrowing down your queries:
| Keyword | Description |
|---|---|
| category: | These are the categories as defined in the Trunc platform (e.g., pci_dss:11.4, ids_event). |
| srcip: | This is the source IP. |
| country: | These are country abbreviations. Example: BR -> Brazil, US – United States |
| location: | This is the hostname for the source of the logs. |
| Date: | The format is YYYY-MM-DD |
| Time: | The format is HH:MM |
Examples of Using Trunc Search
Example 1: Searching with Categories
Trunc categorizes logs to simplify searches. For example, if you want to find all router logs, you can use:
category:router_logsThis will display all logs categorized under router_logs.
Example 2: Combining Categories and Hostnames
If you’re interested in logs from a specific source and category, you can combine filters. For instance, to find authentication failures on the host webhoney2.noc.org:
location:webhoney2.noc.org category:authentication_failureAnd generate an output like this:
Example 3: Searching for Specific Keywords or Strings
To locate logs containing a specific keyword, you can simply include it in your query. For instance, if you want to find all logs mentioning xmlrpc.php from webhoney2.noc.org:
location:webhoney2.noc.org xmlrpc.phpAnd would generate an output like this:
Example 4: Using AND and OR Operators
You can search for multiple criteria by using AND and OR. For example, to find logs for either wp-login or wp-admin on webhoney2.noc.org:
location:webhoney2.noc.org wp-login or wp-adminAnd would generate an output like this:
Example 5: Filtering by Date
To focus on logs from a specific date, use the date: keyword. For example, to see all sshd logs from webhoney1.noc.org on August 25th, 2022:
location:webhoney1.noc.org and sshd and date:2022-08-24And would generate an output like this:
