Splunk Search

Context Search

axsolis
Path Finder

Hi,

Is there any way to do a contextual search in Splunk? For example, if I issue the command "grep -C 5 failed " it will return lines in which contain the keywork "failed" AND the last 5 lines before and 5 lines after. I am not sure how to do this in Splunk.

I am interested in searching for a message X which has message Y before it. I know I could achieve a successful search by using the OR operator but one of the messages is very common and clutters the results. So I would like to search for the much less common message X in a contextual fashion and manually inspect for message Y before it.

Thanks!

Tags (1)
0 Karma
1 Solution

cgilbert_splunk
Splunk Employee
Splunk Employee

You might try checking out this thread...I haven't had the chance to validate the searches, but there are a few things in here that seem to map to your use case:

http://splunk-base.splunk.com/answers/2602/can-splunk-filtermatch-events-and-bring-back-neighbouring...

View solution in original post

TXBU
New Member

How can I search for "Send failed" and result should display the 5 lines before the message found as well.

I need to see what happens before the "Send failed" occurred.

Any help on the search query would be helpful.

0 Karma

mw
Splunk Employee
Splunk Employee

cgilbert_splunk's link should probably work for you too. Something like this:

sourcetype=whatever | transaction endswith="Send failed" maxevents=5

0 Karma

cgilbert_splunk
Splunk Employee
Splunk Employee

You might try checking out this thread...I haven't had the chance to validate the searches, but there are a few things in here that seem to map to your use case:

http://splunk-base.splunk.com/answers/2602/can-splunk-filtermatch-events-and-bring-back-neighbouring...

axsolis
Path Finder

I think this does it. I was able to find the events I wanted anyway. More playing around will need to be done but it got me what I wanted. Thanks!

0 Karma

axsolis
Path Finder

Y is expected to come within 5 seconds of X. Could be before or after.... Also, there are no fields that are common to the two messages. That is why I am wanting to find messages withing a time window around X.

0 Karma

mw
Splunk Employee
Splunk Employee

Is Y expected to come directly before X, or could there be an hour or so in between?

0 Karma

cgilbert_splunk
Splunk Employee
Splunk Employee

One way that comes to mind would be to use the "transaction" parameter...this allows you to group events into a single transaction at search time...there are probably a few ways to use transaction in this manner:

source=foo | transaction maxspan=

for X_identifier...I'd just be looking for something you'd only see in event X.

for "field", you have to choose a field in splunk that will be common to both of these transactions...common ones might be host, clientip..etc. maxspan isn't required, but I've found it useful.

What this will do is filter for X event, then build a transaction around X that presumably includes Y as well. Now, there may be better ways to do this, but this is one that I've used before for this purpose.

axsolis
Path Finder

Thanks for the reply and that is good info. Unfortunately messages X and Y have no common fields. I am looking for cases when Y is produced within 5 seconds or so of when X is produced. This does not happen consistently but I have an interest to find out when it does.

Gave point due to good informative answer. Unfortunately does not solve my issue. Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...