Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I display the 10 event entries prior to and post a specified keyword search?

Steve_A200
Path Finder
‎05-12-2023 07:38 AM

Hi,

In the logs file, we are capturing java error is multiple entries, so in order for me to see the entire error set, I need to see the events/records (10 used here as an example) that are immediately prior-to and post the keyword that is being search.

 

Currently, when I use the below SPL, I get only the events that contain the word "java" which is good, but I want to see the 10 records (i.e. log entry lines) prior to this "java" record and 10 entries post this "java" record".  The records prior-to and post may not have any keyword "java" in them, but I still want to see those records as part of the result set being displayed.

 

| from datamodel:"xyz"
| fields host source _time
| where like(_raw,"%java%")
| table host source _raw

 

Is there a way to display the 10 records/events prior-to and post the keyword being searched from the _raw field?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-12-2023 09:29 AM

Obviously, the key is getting the eval correct - you could try searchmatch

| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as post_java by java
| reverse
| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as pre_java by java
| where pre_java <= 10 OR post_java <= 10
| reverse

View solution in original post

Reply
Solved! Jump to solution

Steve_A200
Path Finder
‎05-12-2023 09:38 AM

Thank you ITWhisperer, that indeed did the trick.  I sandwiched your search between the fields and table  commands.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-12-2023 08:09 AM

Try something like this

| streamstats count(eval(error=="java")) as java
| streamstats reset_on_change=t count as post_java by java
| eval post_java=if(post_java==0,null(),post_java)
| reverse
| streamstats count(eval(error=="java")) as java
| streamstats reset_on_change=t count as pre_java by java
| eval pre_java=if(pre_java==0,null(),pre_java)
| where pre_java <= 10 OR post_java <= 10
| reverse
0 Karma
Reply
Solved! Jump to solution

Steve_A200
Path Finder
‎05-12-2023 08:35 AM

Hi ITWhisperer,

Unfortunately, that didn't do the trick. 

2 issues:

- it did not list events that contained the keyword being search i.e. like "java"

- it listed a total of 20 events, I was hoping to list every event that contains the word "java" +/- 10 record, rather than just a single event +/- 10 events.

Thanks

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-12-2023 09:29 AM

Obviously, the key is getting the eval correct - you could try searchmatch

| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as post_java by java
| reverse
| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as pre_java by java
| where pre_java <= 10 OR post_java <= 10
| reverse
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...