Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Equivalent of grep -A and grep -B

borisalves
Path Finder
‎02-20-2013 06:49 PM

I have a line that prints
2/20/13 6:45:45.000 PM [2013-02-20 18:45:45] FATAL

so that is ok, but what i really want to see is a couple of lines above or bellow that hit.

Does splunk have something similar to grep -A or grep -B or do I have to extract the time variable into a lookup table and then run another search looking for hits around that time stamp?

I am hoping something exists for that, thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-20-2013 07:38 PM

In addition to Show Source, check out this entry in the Splunk wiki:

http://wiki.splunk.com/Community:FindingSurroundingEvents

View solution in original post

0 Karma
Reply
Solved! Jump to solution

borisalves
Path Finder
‎03-04-2013 10:28 AM

Thank you all. The problem is that in a interval of 1 second I have too many results. If I ever find a similar function I will post in this questions.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-05-2013 12:41 AM

That approach might work with streamstats as well. Tag your desired events with eval foo = 1, use streamstats with a certain window to sum up foo, and only keep events with sum(foo) > 0.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎04-05-2013 12:30 AM

Would it be possible to use a transaction to get X number of events before the identified event? Like;

...| transaction sourcetype endswith=FATAL maxevents=10 maxspan=1s

Since we're going backwards in time, it ought to be possible to find that "FATAL" and count 10 more events. Or is that just another way of doing stuff inefficiently?

/K

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-05-2013 12:12 AM

If you need a shorter interval you could modify earliest and latest fields of localize down to the millisecond.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-20-2013 07:38 PM

In addition to Show Source, check out this entry in the Splunk wiki:

http://wiki.splunk.com/Community:FindingSurroundingEvents

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎02-21-2013 02:15 AM

The short answer is there's really no good way of doing this in Splunk. There are more or less convoluted ways, but no easy and intuitive. Sadly.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-21-2013 01:17 AM

That looks complicated - consider http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/localize

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎02-20-2013 07:17 PM

Have you tried "Show Source" in the Event Menu? The Event Menu is the blue box with a down-arrow that sits next to the timestamp and data for each event.

0 Karma
Reply
Get Updates on the Splunk Community!

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...