topic Re: How to get all events between two events? in Splunk Search

How to get all events between two events?

vrmandadi — Wed, 26 Oct 2022 15:48:10 GMT

I have the following events.I am trying to get all the events between START and END of a job (inclusive).For instance the below job 51060 has 3 events in between...I am trying to a transaction command but I dont get the events in between.I only get the start and end event

| transaction startswith="START" endswith="END"

2022-10-21T23:26:14.075003-07:00 xyz slurm-epilog: END user=svc job=51060
2022-10-21T20:15:16.914838-07:00 xyz kernel: [52023.042550] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:13:46.890841-07:00 xyz kernel: [51933.011964] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:12:16.866833-07:00 xyz kernel: [51842.981401] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T19:17:25.710875-07:00 xyz slurm-prolog: START user=svc job=51060

Re: How to get all events between two events?

johnhuang — Wed, 26 Oct 2022 16:33:32 GMT

Is there any identifier that can tie the 3 middle events together with the start or end event or are you looking for all events between start and end?

Re: How to get all events between two events?

vrmandadi — Wed, 26 Oct 2022 16:50:15 GMT

I dont have specific identifier to match it...But I am looking get all the events between them and then a calculation on them

Re: How to get all events between two events?

johnhuang — Wed, 26 Oct 2022 17:00:45 GMT

| rex "\:\s(?<event_type>END|START)\s" | transaction startswith=(event_type="START") endswith=(event_type="END")

Re: How to get all events between two events?

vrmandadi — Wed, 26 Oct 2022 18:04:25 GMT

Doesnt give what I need...it just gives start and end events

Re: How to get all events between two events?

johnhuang — Wed, 26 Oct 2022 18:18:39 GMT

Transaction will give you an output of unique values for each field -- are you sure you're only seeing start and end events?

Try this as a test:

Re: How to get all events between two events?

vrmandadi — Wed, 26 Oct 2022 18:21:18 GMT

Yes I only see two events per transaction which has start and end but dont see any events like below

2022-10-21T20:15:16.914838-07:00 xyz kernel: [52023.042550] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:13:46.890841-07:00 xyz kernel: [51933.011964] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:12:16.866833-07:00 xyz kernel: [51842.981401] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main,