https://community.splunk.com/t5/Splunk-Search/display-rows-between-2-searches/m-p/546156#M154805 <P>On the face of it, it seems like the transaction command is the one you should be looking at</P> Wed, 31 Mar 2021 07:47:20 GMT ITWhisperer 2021-03-31T07:47:20Z https://community.splunk.com/t5/Splunk-Search/display-rows-between-2-searches/m-p/546155#M154804 <P>Good morning,</P><P>&nbsp;</P><P>suppose I have the following entries in my file :</P><P>BEGIN</P><P>&nbsp;abc</P><P>def</P><P>END;</P><P>BEGIN</P><P>&nbsp;xyz</P><P>END;</P><P>***</P><P>I want to search for the sentence BEGIN and the sentence with END;</P><P>As a result I want to have the search entries BEGIN and END including the rows between.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Dik Pater</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 31 Mar 2021 07:42:33 GMT https://community.splunk.com/t5/Splunk-Search/display-rows-between-2-searches/m-p/546155#M154804 splunkpaterd2 2021-03-31T07:42:33Z https://community.splunk.com/t5/Splunk-Search/display-rows-between-2-searches/m-p/546156#M154805 <P>On the face of it, it seems like the transaction command is the one you should be looking at</P> Wed, 31 Mar 2021 07:47:20 GMT https://community.splunk.com/t5/Splunk-Search/display-rows-between-2-searches/m-p/546156#M154805 ITWhisperer 2021-03-31T07:47:20Z https://community.splunk.com/t5/Splunk-Search/display-rows-between-2-searches/m-p/546164#M154810 <P>I did not succeed, so if you have the solution for me please post it.</P> Wed, 31 Mar 2021 08:00:40 GMT https://community.splunk.com/t5/Splunk-Search/display-rows-between-2-searches/m-p/546164#M154810 splunkpaterd2 2021-03-31T08:00:40Z https://community.splunk.com/t5/Splunk-Search/display-rows-between-2-searches/m-p/546165#M154811 <P>Can you post some more realistic anonymised data?</P> Wed, 31 Mar 2021 08:04:28 GMT https://community.splunk.com/t5/Splunk-Search/display-rows-between-2-searches/m-p/546165#M154811 ITWhisperer 2021-03-31T08:04:28Z https://community.splunk.com/t5/Splunk-Search/display-rows-between-2-searches/m-p/546352#M154875 <P>2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 3 PROC SQL NOEXEC;<BR />2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 4 SELECT t1.ID,<BR />2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 5 t1.KOLOM1,<BR />2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 6 t1.KOLOM2,<BR />2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 7 FROM mytable t1;<BR />2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 8 RUN;</P><P>So if I search for PROC SQL until RUN;&nbsp;</P><P>thats what I need to get back.</P><P>&nbsp;</P><P>TIA&nbsp;</P><P>&nbsp;</P><P>Dik Pater</P> Thu, 01 Apr 2021 10:55:39 GMT https://community.splunk.com/t5/Splunk-Search/display-rows-between-2-searches/m-p/546352#M154875 splunkpaterd2 2021-04-01T10:55:39Z https://community.splunk.com/t5/Splunk-Search/display-rows-between-2-searches/m-p/546369#M154883 <LI-CODE lang="markup">| makeresults | eval _raw="2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 3 PROC SQL NOEXEC; 2021-03-17T11:08:26,400 INFO [00000018] :dikpater@nowhere - 4 SELECT t1.ID, 2021-03-17T11:08:26,401 INFO [00000018] :dikpater@nowhere - 5 t1.KOLOM1, 2021-03-17T11:08:26,402 INFO [00000018] :dikpater@nowhere - 6 t1.KOLOM2, 2021-03-17T11:08:26,403 INFO [00000018] :dikpater@nowhere - 7 FROM mytable t1; 2021-03-17T11:08:26,404 INFO [00000018] :dikpater@nowhere - 8 RUN;" | multikv noheader=t | fields - Column_1 | eval _time=strptime(_raw,"%Y-%m-%dT%H:%M:%S,%Q") | sort - _time | transaction startswith="PROC SQL" endswith="RUN" mvraw=t</LI-CODE><P>The first part sets up dummy data in line with your example</P><P>The second part may or may not be needed if you already have _time extracted as an epoch time</P><P>The transaction command needs event sorted in descending _time order</P><P>I used mvraw=t which may or may not be required depending on how you want to proceed</P> Thu, 01 Apr 2021 13:12:25 GMT https://community.splunk.com/t5/Splunk-Search/display-rows-between-2-searches/m-p/546369#M154883 ITWhisperer 2021-04-01T13:12:25Z https://community.splunk.com/t5/Splunk-Search/display-rows-between-2-searches/m-p/546967#M155061 <P>Thanks for your excellent answer .</P><P>My collegues are happy with this and can now continue to answer some auditing questions.</P><P>Regards,</P><P>&nbsp;</P><P>Dik Pater</P><P>The Netherlands</P> Wed, 07 Apr 2021 06:04:53 GMT https://community.splunk.com/t5/Splunk-Search/display-rows-between-2-searches/m-p/546967#M155061 splunkpaterd2 2021-04-07T06:04:53Z