Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Equivalent of grep -A and grep -B

borisalves
Path Finder
‎02-20-2013 06:49 PM

I have a line that prints
2/20/13 6:45:45.000 PM [2013-02-20 18:45:45] FATAL

so that is ok, but what i really want to see is a couple of lines above or bellow that hit.

Does splunk have something similar to grep -A or grep -B or do I have to extract the time variable into a lookup table and then run another search looking for hits around that time stamp?

I am hoping something exists for that, thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-20-2013 07:38 PM

In addition to Show Source, check out this entry in the Splunk wiki:

http://wiki.splunk.com/Community:FindingSurroundingEvents

View solution in original post

0 Karma
Reply
Solved! Jump to solution

borisalves
Path Finder
‎03-04-2013 10:28 AM

Thank you all. The problem is that in a interval of 1 second I have too many results. If I ever find a similar function I will post in this questions.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-05-2013 12:41 AM

That approach might work with streamstats as well. Tag your desired events with eval foo = 1, use streamstats with a certain window to sum up foo, and only keep events with sum(foo) > 0.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎04-05-2013 12:30 AM

Would it be possible to use a transaction to get X number of events before the identified event? Like;

...| transaction sourcetype endswith=FATAL maxevents=10 maxspan=1s

Since we're going backwards in time, it ought to be possible to find that "FATAL" and count 10 more events. Or is that just another way of doing stuff inefficiently?

/K

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-05-2013 12:12 AM

If you need a shorter interval you could modify earliest and latest fields of localize down to the millisecond.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-20-2013 07:38 PM

In addition to Show Source, check out this entry in the Splunk wiki:

http://wiki.splunk.com/Community:FindingSurroundingEvents

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎02-21-2013 02:15 AM

The short answer is there's really no good way of doing this in Splunk. There are more or less convoluted ways, but no easy and intuitive. Sadly.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-21-2013 01:17 AM

That looks complicated - consider http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/localize

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎02-20-2013 07:17 PM

Have you tried "Show Source" in the Event Menu? The Event Menu is the blue box with a down-arrow that sits next to the timestamp and data for each event.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top