Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Get last 3 events based on time in 1 index when an...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sfry1981
Communicator
11-09-2017
04:07 AM
I have the below search where i get an errot and then i want to pull through the last 3 events prior to that error but they sit in another index. the only matching information that joins them is the user id. I want the second search to look at the errors time and then pull the last 3 results prior to that time. Currently it is pulling through the latest results as I am not sure how to specify this. Any help would be appreciated as I cant seem to find an answer through the splunk answers for this.
index=index1 errorid =99999999 usersid=111 | head 1 | append [search index=index2 sid=* clientid=* usersid=111| head 3 ] | table usersid errorid message nav1 _time
My results show like this
usersid a_errid message nav1 _time
96494 454545 error 2017-10-25T09:35:35.000+0100
96494 nav1area 2017-11-09T11:49:51.000+0000
96494 nav1area 2017-11-09T11:49:50.000+0000
96494 nav1area 2017-11-09T11:48:50.000+0000
As you can see the times are for now but the error was back on the 25th oct so i need the events to show the last 3 events before that time?
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-09-2017
08:28 AM
Try like this
index=index1 errorid =99999999 usersid=111 | head 1 | table _time userid errorid
| eval earliest=_time-86400 | eval latest=_time
| map search="search index=index2 sid=* clientid=* usersid=$userid$ latest=$latest$ earliest=$earliest$ | head 3 | table _time userid message nav1 | eval errorid=\"$errorid$\""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-09-2017
08:28 AM
Try like this
index=index1 errorid =99999999 usersid=111 | head 1 | table _time userid errorid
| eval earliest=_time-86400 | eval latest=_time
| map search="search index=index2 sid=* clientid=* usersid=$userid$ latest=$latest$ earliest=$earliest$ | head 3 | table _time userid message nav1 | eval errorid=\"$errorid$\""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sfry1981
Communicator
11-09-2017
12:09 PM
Thanks somesoni2 and its nearly perfect, Its pulling through the 3 events for that date into the statistics but then it shows the error log in the events tab but i need it to show in the statistics tab with the other events. Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sfry1981
Communicator
11-09-2017
12:20 PM
Sorry someoni2 please ignore me and it is there as I was not looking at it properly. You are a star 🙂
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
