Getting Data In

Filtering Events

Deepz2612
Explorer

Hi,
I would want to know the current event and the after event of that particular current event.

1.First i would want to search for a particular number sequence 12345.
2.Then find the event that occurs right after it.
3.I want the result to have both the events.
4.index,source and sourcetype for both the events are same.

Example:

In the below set of data,

Srvcs.APIController - Start - [12345]
Srvcs.evntcontroller - service not found
Srvcs.APIController - attempting

Srvcs.APIController - Start - [12345]
Srvcs.errcontroller - invalid call
Srvcs.APIController - attempting

Result i want is

Srvcs.APIController - Start - [12345]
Srvcs.evntcontroller - service not found

And for the second set

Srvcs.APIController - Start - [12345]
Srvcs.errcontroller - invalid call

Kindly help me with this

0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults 
|  eval raw="Srvcs.APIController - Start - [12345]
Srvcs.evntcontroller - service not found
Srvcs.APIController - attempting
Srvcs.APIController - Start - [12345]
Srvcs.errcontroller - invalid call
Srvcs.APIController - attempting"
| makemv delim="
" raw
| mvexpand raw

| rename COMMENT AS "Everything above generates sample events; everything below is your solution"

| streamstats count AS _serial
| eval _time = _time + _serial
| rename raw AS _raw
| sort 0 - _time
| reverse
| streamstats count(eval(searchmatch("[12345]"))) AS sessionID
| dedup 2 sessionID
| stats min(_time) AS _time values(_raw) AS events BY sessionID
0 Karma

richgalloway
SplunkTrust
SplunkTrust

This sounds like a job for transaction.

index=foo source=bar sourcetype=baz | transaction startwith="12345" maxevents=2 | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

Deepz2612
Explorer

But that doesnt seem to work.
I tried but it is showing some other event and not this

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...