Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Get last 3 events based on time in 1 index when an...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sfry1981
Communicator
11-09-2017
04:07 AM
I have the below search where i get an errot and then i want to pull through the last 3 events prior to that error but they sit in another index. the only matching information that joins them is the user id. I want the second search to look at the errors time and then pull the last 3 results prior to that time. Currently it is pulling through the latest results as I am not sure how to specify this. Any help would be appreciated as I cant seem to find an answer through the splunk answers for this.
index=index1 errorid =99999999 usersid=111 | head 1 | append [search index=index2 sid=* clientid=* usersid=111| head 3 ] | table usersid errorid message nav1 _time
My results show like this
usersid a_errid message nav1 _time
96494 454545 error 2017-10-25T09:35:35.000+0100
96494 nav1area 2017-11-09T11:49:51.000+0000
96494 nav1area 2017-11-09T11:49:50.000+0000
96494 nav1area 2017-11-09T11:48:50.000+0000
As you can see the times are for now but the error was back on the 25th oct so i need the events to show the last 3 events before that time?
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-09-2017
08:28 AM
Try like this
index=index1 errorid =99999999 usersid=111 | head 1 | table _time userid errorid
| eval earliest=_time-86400 | eval latest=_time
| map search="search index=index2 sid=* clientid=* usersid=$userid$ latest=$latest$ earliest=$earliest$ | head 3 | table _time userid message nav1 | eval errorid=\"$errorid$\""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-09-2017
08:28 AM
Try like this
index=index1 errorid =99999999 usersid=111 | head 1 | table _time userid errorid
| eval earliest=_time-86400 | eval latest=_time
| map search="search index=index2 sid=* clientid=* usersid=$userid$ latest=$latest$ earliest=$earliest$ | head 3 | table _time userid message nav1 | eval errorid=\"$errorid$\""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sfry1981
Communicator
11-09-2017
12:09 PM
Thanks somesoni2 and its nearly perfect, Its pulling through the 3 events for that date into the statistics but then it shows the error log in the events tab but i need it to show in the statistics tab with the other events. Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sfry1981
Communicator
11-09-2017
12:20 PM
Sorry someoni2 please ignore me and it is there as I was not looking at it properly. You are a star 🙂
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
