https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/493299#M84293 <P>Hi,<BR /> I would want to know the current event and the after event of that particular current event.</P> <P>1.First i would want to search for a particular number sequence 12345.<BR /> 2.Then find the event that occurs right after it.<BR /> 3.I want the result to have both the events.<BR /> 4.index,source and sourcetype for both the events are same.</P> <P>Example:</P> <P>In the below set of data,</P> <P>Srvcs.APIController - Start - [12345] <BR /> Srvcs.evntcontroller - service not found<BR /> Srvcs.APIController - attempting</P> <P>Srvcs.APIController - Start - [12345] <BR /> Srvcs.errcontroller - invalid call<BR /> Srvcs.APIController - attempting</P> <P>Result i want is </P> <P>Srvcs.APIController - Start - [12345] <BR /> Srvcs.evntcontroller - service not found</P> <P>And for the second set</P> <P>Srvcs.APIController - Start - [12345] <BR /> Srvcs.errcontroller - invalid call</P> <P>Kindly help me with this</P> Sat, 05 Oct 2019 19:56:43 GMT Deepz2612 2019-10-05T19:56:43Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/493299#M84293 <P>Hi,<BR /> I would want to know the current event and the after event of that particular current event.</P> <P>1.First i would want to search for a particular number sequence 12345.<BR /> 2.Then find the event that occurs right after it.<BR /> 3.I want the result to have both the events.<BR /> 4.index,source and sourcetype for both the events are same.</P> <P>Example:</P> <P>In the below set of data,</P> <P>Srvcs.APIController - Start - [12345] <BR /> Srvcs.evntcontroller - service not found<BR /> Srvcs.APIController - attempting</P> <P>Srvcs.APIController - Start - [12345] <BR /> Srvcs.errcontroller - invalid call<BR /> Srvcs.APIController - attempting</P> <P>Result i want is </P> <P>Srvcs.APIController - Start - [12345] <BR /> Srvcs.evntcontroller - service not found</P> <P>And for the second set</P> <P>Srvcs.APIController - Start - [12345] <BR /> Srvcs.errcontroller - invalid call</P> <P>Kindly help me with this</P> Sat, 05 Oct 2019 19:56:43 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/493299#M84293 Deepz2612 2019-10-05T19:56:43Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/493300#M84294 <P>This sounds like a job for <CODE>transaction</CODE>.</P> <PRE><CODE>index=foo source=bar sourcetype=baz | transaction startwith="12345" maxevents=2 | ... </CODE></PRE> Sat, 05 Oct 2019 23:39:42 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/493300#M84294 richgalloway 2019-10-05T23:39:42Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/493301#M84295 <P>But that doesnt seem to work.<BR /> I tried but it is showing some other event and not this</P> Sun, 06 Oct 2019 04:58:46 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/493301#M84295 Deepz2612 2019-10-06T04:58:46Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/493302#M84296 <P>Like this:</P> <PRE><CODE>| makeresults | eval raw="Srvcs.APIController - Start - [12345] Srvcs.evntcontroller - service not found Srvcs.APIController - attempting Srvcs.APIController - Start - [12345] Srvcs.errcontroller - invalid call Srvcs.APIController - attempting" | makemv delim=" " raw | mvexpand raw | rename COMMENT AS "Everything above generates sample events; everything below is your solution" | streamstats count AS _serial | eval _time = _time + _serial | rename raw AS _raw | sort 0 - _time | reverse | streamstats count(eval(searchmatch("[12345]"))) AS sessionID | dedup 2 sessionID | stats min(_time) AS _time values(_raw) AS events BY sessionID </CODE></PRE> Sun, 06 Oct 2019 18:30:16 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/493302#M84296 woodcock 2019-10-06T18:30:16Z