Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help building a search

robertoClaros
Explorer
‎01-07-2026 06:56 AM

Hello all,

I am currently trying to do a search in which I verify if :

=> "testA" syslog has been received before any of "test", "test2" or "test3" syslog OR if "testA" syslog has not been received but we have one of the other syslogs "test", "test2" or "test3"

The main goal is to verify if an event A happened before other ones making it a notable event.

I tried things with transactions and eval commands in order to know which syslog was received and which was last but without big success.

Thank you all.

Labels (2)
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

asimit
Path Finder
‎01-09-2026 06:07 AM

Hi @robertoClaros ,

So the full solution for your original problem - detecting if "test" / "test2" / "test3" syslog happens before any "testA" (or no testA at all) - is this search:

| makeresults count=20
| streamstats count as event_num
| eval _time=_time - (20-event_num)*60
| eval Data=case(
    event_num % 5 == 0, "testA",
    event_num % 5 == 1, "test",
    event_num % 5 == 2, "test2",
    event_num % 5 == 3, "test3",
    true(), "testA"
  )
| eval host="test-host", source="syslog"
| sort 0 _time
| streamstats last(eval(if(Data=="testA",_time,null()))) as last_testA_time
| where isnull(last_testA_time) AND Data IN ("test", "test2", "test3")
| table _time Data host source last_testA_time

This test data creates the exact scenario u want - test events before testA gets flagged perfectly see the screenshot as well.

What it does (super simple):

  • Grabs only your relevant events

  • Sorts oldest first

  • streamstats tracks when testA was last seen (null if never)

  • where finds test/test2/test3 events where testA hasnt happened yet = your notable events!

 

View solution in original post

Preview file
392 KB
Reply
Solved! Jump to solution
Solution

asimit
Path Finder
‎01-09-2026 06:07 AM

Hi @robertoClaros ,

So the full solution for your original problem - detecting if "test" / "test2" / "test3" syslog happens before any "testA" (or no testA at all) - is this search:

| makeresults count=20
| streamstats count as event_num
| eval _time=_time - (20-event_num)*60
| eval Data=case(
    event_num % 5 == 0, "testA",
    event_num % 5 == 1, "test",
    event_num % 5 == 2, "test2",
    event_num % 5 == 3, "test3",
    true(), "testA"
  )
| eval host="test-host", source="syslog"
| sort 0 _time
| streamstats last(eval(if(Data=="testA",_time,null()))) as last_testA_time
| where isnull(last_testA_time) AND Data IN ("test", "test2", "test3")
| table _time Data host source last_testA_time

This test data creates the exact scenario u want - test events before testA gets flagged perfectly see the screenshot as well.

What it does (super simple):

  • Grabs only your relevant events

  • Sorts oldest first

  • streamstats tracks when testA was last seen (null if never)

  • where finds test/test2/test3 events where testA hasnt happened yet = your notable events!

 

Preview file
392 KB
Reply
Solved! Jump to solution

robertoClaros
Explorer
‎01-09-2026 08:09 AM

Thank you so much for the help !

I used latest in order not to need to sort events but it works really well on my side. 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-07-2026 07:11 AM

It is a bit difficult to advise without knowledge of what your events look like but let us assume that you have a field called test_name, then you can do something like this

``` Ensure event are in chronological order ```
| sort 0 _time
``` Find the previous time that "testA" was received ```
| streamstats last(eval(if(test_name=="testA",_time,null()))) as last_testA
| where isnull(last_testA) and test_name IN ("test", "test2", "test3")
Reply
Solved! Jump to solution

robertoClaros
Explorer
‎01-09-2026 08:08 AM

Thanks a lot ! I used it for the solution

0 Karma
Reply
Solved! Jump to solution

robertoClaros
Explorer
‎01-07-2026 07:01 AM

I tried the following example but it seems not really efficient and working : 

index=* Data IN ("testA", "test", "test2", "test3")
| transaction Data
| sort _time
| eval testA_present=if(match(Data, "testA"), "true", "false")
| eval test_present=if(match(Data, "(test|test2|test3)"), "true", "false")
| eval testA_last=if(testA_present="true" AND test_present="true", mvindex(split(Data, "|"), -1) == "testA", "false")
| where (testA_present="true" AND test_present="true" AND testA_last="false") OR (testA_present="false" AND test_present="true")

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...