Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Equivalent of grep -A and grep -B

borisalves
Path Finder
‎02-20-2013 06:49 PM

I have a line that prints
2/20/13 6:45:45.000 PM [2013-02-20 18:45:45] FATAL

so that is ok, but what i really want to see is a couple of lines above or bellow that hit.

Does splunk have something similar to grep -A or grep -B or do I have to extract the time variable into a lookup table and then run another search looking for hits around that time stamp?

I am hoping something exists for that, thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-20-2013 07:38 PM

In addition to Show Source, check out this entry in the Splunk wiki:

http://wiki.splunk.com/Community:FindingSurroundingEvents

View solution in original post

0 Karma
Reply
Solved! Jump to solution

borisalves
Path Finder
‎03-04-2013 10:28 AM

Thank you all. The problem is that in a interval of 1 second I have too many results. If I ever find a similar function I will post in this questions.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-05-2013 12:41 AM

That approach might work with streamstats as well. Tag your desired events with eval foo = 1, use streamstats with a certain window to sum up foo, and only keep events with sum(foo) > 0.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎04-05-2013 12:30 AM

Would it be possible to use a transaction to get X number of events before the identified event? Like;

...| transaction sourcetype endswith=FATAL maxevents=10 maxspan=1s

Since we're going backwards in time, it ought to be possible to find that "FATAL" and count 10 more events. Or is that just another way of doing stuff inefficiently?

/K

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-05-2013 12:12 AM

If you need a shorter interval you could modify earliest and latest fields of localize down to the millisecond.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-20-2013 07:38 PM

In addition to Show Source, check out this entry in the Splunk wiki:

http://wiki.splunk.com/Community:FindingSurroundingEvents

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎02-21-2013 02:15 AM

The short answer is there's really no good way of doing this in Splunk. There are more or less convoluted ways, but no easy and intuitive. Sadly.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-21-2013 01:17 AM

That looks complicated - consider http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/localize

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎02-20-2013 07:17 PM

Have you tried "Show Source" in the Event Menu? The Event Menu is the blue box with a down-arrow that sits next to the timestamp and data for each event.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...