topic Re: How can I display the 10 event entries prior to and post a specified keyword search in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-can-I-display-the-10-event-entries-prior-to-and-post-a/m-p/643232#M222819 <P>Try something like this</P><LI-CODE lang="markup">| streamstats count(eval(error=="java")) as java | streamstats reset_on_change=t count as post_java by java | eval post_java=if(post_java==0,null(),post_java) | reverse | streamstats count(eval(error=="java")) as java | streamstats reset_on_change=t count as pre_java by java | eval pre_java=if(pre_java==0,null(),pre_java) | where pre_java &lt;= 10 OR post_java &lt;= 10 | reverse</LI-CODE> Fri, 12 May 2023 15:09:56 GMT ITWhisperer 2023-05-12T15:09:56Z How can I display the 10 event entries prior to and post a specified keyword search? https://community.splunk.com/t5/Splunk-Search/How-can-I-display-the-10-event-entries-prior-to-and-post-a/m-p/643227#M222817 <P>Hi,</P> <P>In the logs file, we are capturing java error is multiple entries, so in order for me to see the entire error set, I need to see the events/records (10 used here as an example) that are immediately prior-to and post the keyword that is being search.</P> <P>&nbsp;</P> <P>Currently, when I use the below SPL, I get only the events that contain the word "java" which is good, but I want to see the 10 records (i.e. log entry lines) prior to this "java" record and 10 entries post this "java" record".&nbsp; The records prior-to and post may not have any keyword "java" in them, but I still want to see those records as part of the result set being displayed.</P> <P>&nbsp;</P> <P>| from datamodel:"xyz"<BR />| fields host source _time<BR />| where like(_raw,"%java%")<BR />| table host source _raw</P> <P>&nbsp;</P> <P>Is there a way to display the 10 records/events prior-to and post the keyword being searched from the _raw field?</P> <P>Thanks</P> Mon, 15 May 2023 12:55:18 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-display-the-10-event-entries-prior-to-and-post-a/m-p/643227#M222817 Steve_A200 2023-05-15T12:55:18Z Re: How can I display the 10 event entries prior to and post a specified keyword search https://community.splunk.com/t5/Splunk-Search/How-can-I-display-the-10-event-entries-prior-to-and-post-a/m-p/643232#M222819 <P>Try something like this</P><LI-CODE lang="markup">| streamstats count(eval(error=="java")) as java | streamstats reset_on_change=t count as post_java by java | eval post_java=if(post_java==0,null(),post_java) | reverse | streamstats count(eval(error=="java")) as java | streamstats reset_on_change=t count as pre_java by java | eval pre_java=if(pre_java==0,null(),pre_java) | where pre_java &lt;= 10 OR post_java &lt;= 10 | reverse</LI-CODE> Fri, 12 May 2023 15:09:56 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-display-the-10-event-entries-prior-to-and-post-a/m-p/643232#M222819 ITWhisperer 2023-05-12T15:09:56Z Re: How can I display the 10 event entries prior to and post a specified keyword search https://community.splunk.com/t5/Splunk-Search/How-can-I-display-the-10-event-entries-prior-to-and-post-a/m-p/643234#M222820 <P>Hi ITWhisperer,</P><P>Unfortunately, that didn't do the trick.&nbsp;</P><P>2 issues:</P><P>- it did not list events that contained the keyword being search i.e. like "java"</P><P>- it listed a total of 20 events, I was hoping to list every event that contains the word "java" +/- 10 record, rather than just a single event +/- 10 events.</P><P>Thanks</P> Fri, 12 May 2023 15:35:07 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-display-the-10-event-entries-prior-to-and-post-a/m-p/643234#M222820 Steve_A200 2023-05-12T15:35:07Z Re: How can I display the 10 event entries prior to and post a specified keyword search https://community.splunk.com/t5/Splunk-Search/How-can-I-display-the-10-event-entries-prior-to-and-post-a/m-p/643238#M222821 <P>Obviously, the key is getting the eval correct - you could try searchmatch</P><LI-CODE lang="markup">| streamstats count(eval(searchmatch("java"))) as java | eval java=if(java==0,null(),java) | streamstats reset_on_change=t count as post_java by java | reverse | streamstats count(eval(searchmatch("java"))) as java | eval java=if(java==0,null(),java) | streamstats reset_on_change=t count as pre_java by java | where pre_java &lt;= 10 OR post_java &lt;= 10 | reverse</LI-CODE> Fri, 12 May 2023 16:29:36 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-display-the-10-event-entries-prior-to-and-post-a/m-p/643238#M222821 ITWhisperer 2023-05-12T16:29:36Z Re: How can I display the 10 event entries prior to and post a specified keyword search https://community.splunk.com/t5/Splunk-Search/How-can-I-display-the-10-event-entries-prior-to-and-post-a/m-p/643239#M222822 <P>Thank you ITWhisperer, that indeed did the trick.&nbsp; I sandwiched your search between the fields and table&nbsp; commands.</P> Fri, 12 May 2023 16:38:17 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-display-the-10-event-entries-prior-to-and-post-a/m-p/643239#M222822 Steve_A200 2023-05-12T16:38:17Z