topic Re: How to get the result of next event by searching for a key word in Splunk Search

How to get the result of next event by searching for a key word

t_splunk_d — Fri, 22 Dec 2023 21:11:24 GMT

I want to get the result of the next line of the log message when I encounter a key word.

Example log:

----error in checking status--------

----Person Name: abcd, Status=active---------

-----Check for Status------

------success : true--------

-----Start Processing XXX----------

----Person Name: abcd, Status=active---------

-----Check for Status------

------success : true--------

-----Start Processing XXX----------

----Person Name: abcd, address:yzgj---------

-----Check for Person------

------success : true--------

-----Start Processing XXX----------

In the above log I want to capture the person name after the "Check for Person". The log is indexed by _time. I want to display the following result:

_time Process Person Name

XXX abcd

I don't want to use map or transactions as those are expensive as there are lot of events.

Thank you for the help.

Re: How to get the result of next event by searching for a key word

gcusello — Wed, 20 Dec 2023 17:45:22 GMT

Hi @t_splunk_d ,

let me understand: you have each row in a different event and you're sure that the event are in this sequence.

I suppose that you already extracted Process and Person_Name fields, in this case you could run something like this:

<your_search> | transaction startswith="Start Processing" maxevents=2 | table Process Person_Name

Ciao.

Giuseppe

Re: How to get the result of next event by searching for a key word

dtburrows3 — Wed, 20 Dec 2023 18:04:23 GMT

You may be able to use streamstats assuming that there is some degree off distribution of _time between each event.

The final output should look something like this

The table before the final stats aggregation looked like this and show more context around what the streamstats are doing here.

Note: For this method to work properly _timestamps of each process event shouldn't be exactly the same, there would need to be some sort of step up in time to the next event (event if it is milliseconds). This is because we need the events in the correct sequence for the streamstats to work as expected.

Re: How to get the result of next event by searching for a key word

t_splunk_d — Fri, 22 Dec 2023 21:13:35 GMT

@dtburrows3 We are so close. Actually I did not mention about the error. The logs looks like this:
----error in checking status--------

----Person Name: abcd, Status=active---------

-----Check for Status------

------success : true--------

-----Start Processing XXX----------

So I want to get the Person name for only "error in checking status"

Re: How to get the result of next event by searching for a key word

dtburrows3 — Fri, 22 Dec 2023 22:11:02 GMT

I think the addition of a few evals can account for the error line as well.

Maybe something like this?

<base_search> | rex field=_raw "Processing\s+(?<process>[^\-]+)\-" | rex field=_raw "Person\s+Name\:\s+(?<person_name>[^\,]+)\," | sort 0 +_time | streamstats reset_before="("isnotnull(process)")" values(process) as current_process | streamstats window=2 first(_raw) as previous_log | rex field=previous_log "Person\s+Name\:\s+(?<previous_log_person_name>[^\,]+)\," | eval checked_person_name=if( match(previous_log, "\-Check\s+for\s+Person\-"), 'person_name', null() ), status_error_person=if( match(previous_log, "Person\s+Name:\s+") AND match(_raw, "\-error\s+in\s+checking\s+status"), 'previous_log_person_name', null() ) | stats min(_time) as _time by current_process, status_error_person | fields + _time, current_process, status_error_person