topic How to include the previous and/or following event after the search string appears? in Splunk Search

How to include the previous and/or following event after the search string appears?

echalex — Tue, 16 Sep 2014 15:55:56 GMT

Hi,
I would like to include the event just before or just after the search string appears. Basically like grep -A 1 or -B 1 would. Is there an easy way of doing this in Splunk?

Re: How to include the previous and/or following event after the search string appears?

pradeepkumarg — Tue, 16 Sep 2014 16:02:06 GMT

Please check below post

http://answers.splunk.com/answers/150509/how-to-get-events-around-identified-event.html

Re: How to include the previous and/or following event after the search string appears?

echalex — Thu, 18 Sep 2014 11:19:57 GMT

Thanks for the tip.
It isn't strictly what I was looking for, as it is time-based, rather than event based. So there can be quite a few events during the time I specify -even just a second, but at least it's there.

Re: How to include the previous and/or following event after the search string appears?

scombs — Fri, 29 Oct 2021 17:41:22 GMT

Old post, but... How about this?

Re: How to include the previous and/or following event after the search string appears?

PickleRick — Fri, 29 Oct 2021 18:31:50 GMT

Don't take it personally but that's one of the most ineffective solutions to any splunk problem I've seen. Don't ever do that.

Not only instead of using splunk's indexes you're scanning all events. You're doing it twice!

For reference -

simple search for the string "error" from my home splunk from _internal index for the last 24 hours

This search has completed and has returned 2,277 results by scanning 2,277 events in 1.846 seconds

The "same" search by listing all events, streamstatsing and then searching:

This search has completed and has returned 2,279 results by scanning 1,155,856 events in 25.172 seconds

I think you can see the difference.

Re: How to include the previous and/or following event after the search string appears?

scombs — Fri, 29 Oct 2021 19:13:58 GMT

Hi PickleRick,

I greatly appreciate the feedback. I've gained just enough experience that I want to start contributing back, so no offense taken.

By "source" I had in mind a specific, dated, application log which, in our environment, is quite constrained. Identifying (in our environment) just index and sourcetype would result in a quite broad result set.

I saw your solution, but took the poster's question as a desire for the couple of specific events immediately before and after the found event rather than a range of who-knows-how-many around its _time stamp.

If I had written my answer like the following, would it have been more acceptable?

Re: How to include the previous and/or following event after the search string appears?

PickleRick — Fri, 29 Oct 2021 19:57:59 GMT

Yes, I understand. And - to be honest - I also had similar need once or twice but - honestly - I don't think there's a "good" answer using splunk. It all boils down to the fact that there's no "sequence number" concept in splunk. That's why you either use time as your narrowing factor (which is not very precise as we know) or have to do such ineffective tricks as your solution.

The problem is that while with normal "index=whatever | search filter" splunk can optimize it and perform as if it was done simply as "index=whatever filter". But if you add streamstats, even if splunk could optimize the search just to find the proper result, it still has to look through all events just to count them.

So I suppose there's really no effective way to do that.

Also, there's no effective method not-involving a subsearch (because as you pass down the processing pipe you lose the knowledge about the original data, so you'd have to pass the data further downstream somehow which again means that you'd have to somehow keep a "backlog" of your events).