Splunk Search

How can I display the 10 event entries prior to and post a specified keyword search?

Steve_A200
Path Finder

Hi,

In the logs file, we are capturing java error is multiple entries, so in order for me to see the entire error set, I need to see the events/records (10 used here as an example) that are immediately prior-to and post the keyword that is being search.

 

Currently, when I use the below SPL, I get only the events that contain the word "java" which is good, but I want to see the 10 records (i.e. log entry lines) prior to this "java" record and 10 entries post this "java" record".  The records prior-to and post may not have any keyword "java" in them, but I still want to see those records as part of the result set being displayed.

 

| from datamodel:"xyz"
| fields host source _time
| where like(_raw,"%java%")
| table host source _raw

 

Is there a way to display the 10 records/events prior-to and post the keyword being searched from the _raw field?

Thanks

0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Obviously, the key is getting the eval correct - you could try searchmatch

| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as post_java by java
| reverse
| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as pre_java by java
| where pre_java <= 10 OR post_java <= 10
| reverse

View solution in original post

Steve_A200
Path Finder

Thank you ITWhisperer, that indeed did the trick.  I sandwiched your search between the fields and table  commands.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| streamstats count(eval(error=="java")) as java
| streamstats reset_on_change=t count as post_java by java
| eval post_java=if(post_java==0,null(),post_java)
| reverse
| streamstats count(eval(error=="java")) as java
| streamstats reset_on_change=t count as pre_java by java
| eval pre_java=if(pre_java==0,null(),pre_java)
| where pre_java <= 10 OR post_java <= 10
| reverse
0 Karma

Steve_A200
Path Finder

Hi ITWhisperer,

Unfortunately, that didn't do the trick. 

2 issues:

- it did not list events that contained the keyword being search i.e. like "java"

- it listed a total of 20 events, I was hoping to list every event that contains the word "java" +/- 10 record, rather than just a single event +/- 10 events.

Thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Obviously, the key is getting the eval correct - you could try searchmatch

| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as post_java by java
| reverse
| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as pre_java by java
| where pre_java <= 10 OR post_java <= 10
| reverse
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...