https://community.splunk.com/t5/Splunk-Search/How-can-i-get-the-first-event-after-match-a-event/m-p/381439#M167466 <P>hi @johnny_goya</P> <P>Did the answer below solve your problem? If so, please resolve this post by approving it! <BR /> If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!</P> Thu, 27 Sep 2018 23:04:31 GMT mstjohn_splunk 2018-09-27T23:04:31Z https://community.splunk.com/t5/Splunk-Search/How-can-i-get-the-first-event-after-match-a-event/m-p/381437#M167464 <P>I want to make a search that match for a event, than get the next event.</P> <P>Example:</P> <P>Event1 _time event_hash status_label<BR /> Event2 _time event_hash status_label<BR /> Event3 _time event_hash status_label<BR /> Event4 _time event_hash status_label</P> <P>Match:<BR /> Event2 _time event_hash status_label<BR /> Event3 _time event_hash status_label</P> <P>Match:<BR /> Event1 _time event_hash status_label<BR /> Event2 _time event_hash status_label</P> Tue, 29 Sep 2020 21:18:31 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-get-the-first-event-after-match-a-event/m-p/381437#M167464 johnny_goya 2020-09-29T21:18:31Z https://community.splunk.com/t5/Splunk-Search/How-can-i-get-the-first-event-after-match-a-event/m-p/381438#M167465 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/88994">@johnny_goya</a></P> <P>From given example what I understand is.</P> <P>Below is your event</P> <PRE><CODE>Event1 _time event_hash status_label Event2 _time event_hash status_label Event3 _time event_hash status_label Event4 _time event_hash status_label </CODE></PRE> <P>Below is your matching event from any logic</P> <PRE><CODE>Event2 _time event_hash status_label Event3 _time event_hash status_label </CODE></PRE> <P>AND <BR /> Below is your desired output</P> <PRE><CODE>Event1 _time event_hash status_label Event2 _time event_hash status_label </CODE></PRE> <P>Well, if it is then try following search.</P> <P><CODE>YOUR_SEARCH | eval match=&lt;&lt;YOUR_MATCHING_LOGIC&gt;&gt; | streamstats window=2 earliest(_raw) as prev_event | where match=1</CODE></P> <P>Note: I have taken an assumption we have already match field which represents event is matched or not.<BR /> YOUR_MATCHING_LOGIC should return <CODE>1</CODE> incase of true and <CODE>0</CODE> in case of false.</P> <P>My Sample Search:</P> <PRE><CODE>| makeresults | eval _raw="Event1 _time event_hash status_label Event2 _time event_hash status_label match=1 Event3 _time event_hash status_label match=1 Event4 _time event_hash status_label" | rex max_match=0 field=_raw "(?&lt;T&gt;[^[\n|\.]+)" | mvexpand T | eval _raw=T | fields - T | kv | streamstats window=2 earliest(_raw) as prev_event | where match=1 </CODE></PRE> <P>Thanks</P> Tue, 29 Sep 2020 21:27:46 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-get-the-first-event-after-match-a-event/m-p/381438#M167465 kamlesh_vaghela 2020-09-29T21:27:46Z https://community.splunk.com/t5/Splunk-Search/How-can-i-get-the-first-event-after-match-a-event/m-p/381439#M167466 <P>hi @johnny_goya</P> <P>Did the answer below solve your problem? If so, please resolve this post by approving it! <BR /> If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!</P> Thu, 27 Sep 2018 23:04:31 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-get-the-first-event-after-match-a-event/m-p/381439#M167466 mstjohn_splunk 2018-09-27T23:04:31Z