I have a Splunk Dashboard. It has a text field named "Error msg" and a Time-Picker. (Image - "Dashboard items").
If the text field "Error msg" is empty, I am able to display all the logs within the given time frame.
Query :
index=AppIndex cf_app_name=AppName msg!="*Hikari*" taskExecutor- | fields _time msg | sort -_time |
| table _time msg
Now, If I enter a log message in the text field "Error msg", my goal is, for the given time frame,
1. Search all the occurrences of this "Log message".
2. Get the latest occurrence.
3. In the output table, print the logs right before the last occurrence of the msg.
In this way, user can trace the error msg and look at the logs (right before the error in the text field) to find what caused the error to happen.
Any suggestions on how this can be done via a query?