Hi,
Is there any way to do a contextual search in Splunk? For example, if I issue the command "grep -C 5 failed
I am interested in searching for a message X which has message Y before it. I know I could achieve a successful search by using the OR operator but one of the messages is very common and clutters the results. So I would like to search for the much less common message X in a contextual fashion and manually inspect for message Y before it.
Thanks!
You might try checking out this thread...I haven't had the chance to validate the searches, but there are a few things in here that seem to map to your use case:
How can I search for "Send failed" and result should display the 5 lines before the message found as well.
I need to see what happens before the "Send failed" occurred.
Any help on the search query would be helpful.
cgilbert_splunk's link should probably work for you too. Something like this:
sourcetype=whatever | transaction endswith="Send failed" maxevents=5
You might try checking out this thread...I haven't had the chance to validate the searches, but there are a few things in here that seem to map to your use case:
I think this does it. I was able to find the events I wanted anyway. More playing around will need to be done but it got me what I wanted. Thanks!
Y is expected to come within 5 seconds of X. Could be before or after.... Also, there are no fields that are common to the two messages. That is why I am wanting to find messages withing a time window around X.
Is Y expected to come directly before X, or could there be an hour or so in between?
One way that comes to mind would be to use the "transaction" parameter...this allows you to group events into a single transaction at search time...there are probably a few ways to use transaction in this manner:
source=foo
for X_identifier...I'd just be looking for something you'd only see in event X.
for "field", you have to choose a field in splunk that will be common to both of these transactions...common ones might be host, clientip..etc. maxspan isn't required, but I've found it useful.
What this will do is filter for X event, then build a transaction around X that presumably includes Y as well. Now, there may be better ways to do this, but this is one that I've used before for this purpose.
Thanks for the reply and that is good info. Unfortunately messages X and Y have no common fields. I am looking for cases when Y is produced within 5 seconds or so of when X is produced. This does not happen consistently but I have an interest to find out when it does.
Gave point due to good informative answer. Unfortunately does not solve my issue. Thanks!