topic Re: Help building a search in Splunk Enterprise

Help building a search

robertoClaros — Wed, 07 Jan 2026 14:56:20 GMT

Hello all,

I am currently trying to do a search in which I verify if :

=> "testA" syslog has been received before any of "test", "test2" or "test3" syslog OR if "testA" syslog has not been received but we have one of the other syslogs "test", "test2" or "test3"

The main goal is to verify if an event A happened before other ones making it a notable event.

I tried things with transactions and eval commands in order to know which syslog was received and which was last but without big success.

Thank you all.

Re: Help building a search

robertoClaros — Wed, 07 Jan 2026 15:01:41 GMT

I tried the following example but it seems not really efficient and working :

index=* Data IN ("testA", "test", "test2", "test3")
| transaction Data
| sort _time
| eval testA_present=if(match(Data, "testA"), "true", "false")
| eval test_present=if(match(Data, "(test|test2|test3)"), "true", "false")
| eval testA_last=if(testA_present="true" AND test_present="true", mvindex(split(Data, "|"), -1) == "testA", "false")
| where (testA_present="true" AND test_present="true" AND testA_last="false") OR (testA_present="false" AND test_present="true")

Re: Help building a search

ITWhisperer — Wed, 07 Jan 2026 15:11:31 GMT

It is a bit difficult to advise without knowledge of what your events look like but let us assume that you have a field called test_name, then you can do something like this

``` Ensure event are in chronological order ``` | sort 0 _time ``` Find the previous time that "testA" was received ``` | streamstats last(eval(if(test_name=="testA",_time,null()))) as last_testA | where isnull(last_testA) and test_name IN ("test", "test2", "test3")

Re: Help building a search

asimit — Fri, 09 Jan 2026 14:07:11 GMT

Hi @robertoClaros ,

So the full solution for your original problem - detecting if "test" / "test2" / "test3" syslog happens before any "testA" (or no testA at all) - is this search:

| makeresults count=20 | streamstats count as event_num | eval _time=_time - (20-event_num)*60 | eval Data=case( event_num % 5 == 0, "testA", event_num % 5 == 1, "test", event_num % 5 == 2, "test2", event_num % 5 == 3, "test3", true(), "testA" ) | eval host="test-host", source="syslog" | sort 0 _time | streamstats last(eval(if(Data=="testA",_time,null()))) as last_testA_time | where isnull(last_testA_time) AND Data IN ("test", "test2", "test3") | table _time Data host source last_testA_time

This test data creates the exact scenario u want - test events before testA gets flagged perfectly see the screenshot as well.

What it does (super simple):

Grabs only your relevant events
Sorts oldest first
streamstats tracks when testA was last seen (null if never)
where finds test/test2/test3 events where testA hasnt happened yet = your notable events!

Re: Help building a search

robertoClaros — Fri, 09 Jan 2026 16:08:24 GMT

Thanks a lot ! I used it for the solution

Re: Help building a search

robertoClaros — Fri, 09 Jan 2026 16:09:29 GMT

Thank you so much for the help !

I used latest in order not to need to sort events but it works really well on my side.