https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22476#M177415 <P>Hi,</P> <P>Is there any way to do a contextual search in Splunk? For example, if I issue the command "grep -C 5 failed <FILE>" it will return lines in <FILE> which contain the keywork "failed" AND the last 5 lines before and 5 lines after. I am not sure how to do this in Splunk.</FILE></FILE></P> <P>I am interested in searching for a message X which has message Y before it. I know I could achieve a successful search by using the OR operator but one of the messages is very common and clutters the results. So I would like to search for the much less common message X in a contextual fashion and manually inspect for message Y before it.</P> <P>Thanks!</P> Fri, 03 Jun 2011 17:14:34 GMT axsolis 2011-06-03T17:14:34Z https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22476#M177415 <P>Hi,</P> <P>Is there any way to do a contextual search in Splunk? For example, if I issue the command "grep -C 5 failed <FILE>" it will return lines in <FILE> which contain the keywork "failed" AND the last 5 lines before and 5 lines after. I am not sure how to do this in Splunk.</FILE></FILE></P> <P>I am interested in searching for a message X which has message Y before it. I know I could achieve a successful search by using the OR operator but one of the messages is very common and clutters the results. So I would like to search for the much less common message X in a contextual fashion and manually inspect for message Y before it.</P> <P>Thanks!</P> Fri, 03 Jun 2011 17:14:34 GMT https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22476#M177415 axsolis 2011-06-03T17:14:34Z https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22477#M177416 <P>One way that comes to mind would be to use the "transaction" parameter...this allows you to group events into a single transaction at search time...there are probably a few ways to use transaction in this manner:</P> <P>source=foo <X_IDENTIFIER> | transaction <FIELD> maxspan=<TIME></TIME></FIELD></X_IDENTIFIER></P> <P>for X_identifier...I'd just be looking for something you'd only see in event X.</P> <P>for "field", you have to choose a field in splunk that will be common to both of these transactions...common ones might be host, clientip..etc. maxspan isn't required, but I've found it useful.</P> <P>What this will do is filter for X event, then build a transaction around X that presumably includes Y as well. Now, there may be better ways to do this, but this is one that I've used before for this purpose. </P> Fri, 03 Jun 2011 23:05:22 GMT https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22477#M177416 cgilbert_splunk 2011-06-03T23:05:22Z https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22478#M177417 <P>Is Y expected to come directly before X, or could there be an hour or so in between?</P> Sun, 05 Jun 2011 16:12:15 GMT https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22478#M177417 mw 2011-06-05T16:12:15Z https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22479#M177418 <P>Y is expected to come within 5 seconds of X. Could be before or after.... Also, there are no fields that are common to the two messages. That is why I am wanting to find messages withing a time window around X.</P> Mon, 06 Jun 2011 15:33:53 GMT https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22479#M177418 axsolis 2011-06-06T15:33:53Z https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22480#M177419 <P>Thanks for the reply and that is good info. Unfortunately messages X and Y have no common fields. I am looking for cases when Y is produced within 5 seconds or so of when X is produced. This does not happen consistently but I have an interest to find out when it does.</P> <P>Gave point due to good informative answer. Unfortunately does not solve my issue. Thanks!</P> Mon, 06 Jun 2011 15:37:25 GMT https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22480#M177419 axsolis 2011-06-06T15:37:25Z https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22481#M177420 <P>You might try checking out this thread...I haven't had the chance to validate the searches, but there are a few things in here that seem to map to your use case:</P> <P><A href="http://splunk-base.splunk.com/answers/2602/can-splunk-filtermatch-events-and-bring-back-neighbouring-events-like-gnu-grep">http://splunk-base.splunk.com/answers/2602/can-splunk-filtermatch-events-and-bring-back-neighbouring-events-like-gnu-grep</A></P> Mon, 06 Jun 2011 16:10:27 GMT https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22481#M177420 cgilbert_splunk 2011-06-06T16:10:27Z https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22482#M177421 <P>I think this does it. I was able to find the events I wanted anyway. More playing around will need to be done but it got me what I wanted. Thanks!</P> Mon, 06 Jun 2011 19:14:47 GMT https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22482#M177421 axsolis 2011-06-06T19:14:47Z https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22483#M177422 <P>How can I search for "Send failed" and result should display the 5 lines before the message found as well.</P> <P>I need to see what happens before the "Send failed" occurred.</P> <P>Any help on the search query would be helpful.</P> Sat, 18 Feb 2012 01:19:40 GMT https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22483#M177422 TXBU 2012-02-18T01:19:40Z https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22484#M177423 <P>cgilbert_splunk's link should probably work for you too. Something like this:</P> <P>sourcetype=whatever | transaction endswith="Send failed" maxevents=5</P> Mon, 20 Feb 2012 15:29:01 GMT https://community.splunk.com/t5/Splunk-Search/Context-Search/m-p/22484#M177423 mw 2012-02-20T15:29:01Z