https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158870#M44800 <P>Please vote up both answers <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Tue, 24 Feb 2015 14:18:42 GMT markthompson 2015-02-24T14:18:42Z https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158863#M44793 <P>I'm looking to find the last 5 log entries that occurred before a certain event, but I don't know how to craft the search.</P> <P>My initial search will be something like <CODE>sourcetype="syslog" DUPLEX_MISMATCH</CODE>, but then based on those events, I'd like to see the five syslog events (sourcetype=syslog OR sourcetype=tacacs) that happened directly before the <CODE>DUPLEX_MISMATCH</CODE>.</P> <P>If my normal search would return 5 results. I'd like to see all of those 5, plus the 5 before each of them, for a total of 30.</P> Tue, 24 Feb 2015 13:55:36 GMT https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158863#M44793 sanorthrup 2015-02-24T13:55:36Z https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158864#M44794 <P>There are many ways to look at this, but one that sprung to my mind was to use transaction, which may sound strange but hear me out <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> If you do</P> <PRE><CODE>| transaction endswith="DUPLEX_MISMATCH" maxevents=6 </CODE></PRE> <P>This would group them all into events with the 5 events prior to that statement.</P> <P>It's just a thought, I'm sure there are many other ways to do it, but I think it'd do the trick.</P> Tue, 24 Feb 2015 14:05:55 GMT https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158864#M44794 markthompson 2015-02-24T14:05:55Z https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158865#M44795 <P>Hello</P> <P>You can get this usign the transaction command, with something like:</P> <PRE><CODE>(sourcetype=syslog OR sourcetype=tacacs) | transaction endswith="DUPLEX_MISMATCH" maxevents=5 </CODE></PRE> <P>This will create transactions whose last event match DUPLEX_MISMATCH and groups a total of 5 events</P> <P>Regards</P> Tue, 24 Feb 2015 14:06:09 GMT https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158865#M44795 gfuente 2015-02-24T14:06:09Z https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158866#M44796 <P>Isn't that what I posted?<BR /> But it would need to be 6, because it picks up the last statement, and he wants the prior 5. </P> Tue, 24 Feb 2015 14:11:01 GMT https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158866#M44796 markthompson 2015-02-24T14:11:01Z https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158867#M44797 <P>Please accept answer &amp; vote up if it worked for you ! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 24 Feb 2015 14:12:15 GMT https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158867#M44797 markthompson 2015-02-24T14:12:15Z https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158868#M44798 <P>You're both right. Thanks so much for your help.</P> Tue, 24 Feb 2015 14:16:52 GMT https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158868#M44798 sanorthrup 2015-02-24T14:16:52Z https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158869#M44799 <P>@sanorthrup<BR /> This answer wouldn't do what you need, the maxevents would be 6 as the ending statement is classed as an event itself. Hence my answer, which was posted at pretty much the same time <span class="lia-unicode-emoji" title=":winking_face:">😉</span> Infact i think mine was a bit quicker <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> Tue, 24 Feb 2015 14:17:48 GMT https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158869#M44799 markthompson 2015-02-24T14:17:48Z https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158870#M44800 <P>Please vote up both answers <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Tue, 24 Feb 2015 14:18:42 GMT https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158870#M44800 markthompson 2015-02-24T14:18:42Z https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158871#M44801 <P>I gave you all my "reputation points" so now I can't vote anything up anymore.</P> Tue, 24 Feb 2015 14:20:11 GMT https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158871#M44801 sanorthrup 2015-02-24T14:20:11Z https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158872#M44802 <P>Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Glad we could help you achieve your solution, and quickly as well!</P> Tue, 24 Feb 2015 14:26:49 GMT https://community.splunk.com/t5/Splunk-Search/Finding-x-number-of-log-entries-that-happened-prior-to-search/m-p/158872#M44802 markthompson 2015-02-24T14:26:49Z