Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I display the 10 event entries prior to and post a specified keyword search?

Steve_A200
Path Finder
‎05-12-2023 07:38 AM

Hi,

In the logs file, we are capturing java error is multiple entries, so in order for me to see the entire error set, I need to see the events/records (10 used here as an example) that are immediately prior-to and post the keyword that is being search.

 

Currently, when I use the below SPL, I get only the events that contain the word "java" which is good, but I want to see the 10 records (i.e. log entry lines) prior to this "java" record and 10 entries post this "java" record".  The records prior-to and post may not have any keyword "java" in them, but I still want to see those records as part of the result set being displayed.

 

| from datamodel:"xyz"
| fields host source _time
| where like(_raw,"%java%")
| table host source _raw

 

Is there a way to display the 10 records/events prior-to and post the keyword being searched from the _raw field?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-12-2023 09:29 AM

Obviously, the key is getting the eval correct - you could try searchmatch

| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as post_java by java
| reverse
| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as pre_java by java
| where pre_java <= 10 OR post_java <= 10
| reverse

View solution in original post

Reply
Solved! Jump to solution

Steve_A200
Path Finder
‎05-12-2023 09:38 AM

Thank you ITWhisperer, that indeed did the trick.  I sandwiched your search between the fields and table  commands.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-12-2023 08:09 AM

Try something like this

| streamstats count(eval(error=="java")) as java
| streamstats reset_on_change=t count as post_java by java
| eval post_java=if(post_java==0,null(),post_java)
| reverse
| streamstats count(eval(error=="java")) as java
| streamstats reset_on_change=t count as pre_java by java
| eval pre_java=if(pre_java==0,null(),pre_java)
| where pre_java <= 10 OR post_java <= 10
| reverse
0 Karma
Reply
Solved! Jump to solution

Steve_A200
Path Finder
‎05-12-2023 08:35 AM

Hi ITWhisperer,

Unfortunately, that didn't do the trick. 

2 issues:

- it did not list events that contained the keyword being search i.e. like "java"

- it listed a total of 20 events, I was hoping to list every event that contains the word "java" +/- 10 record, rather than just a single event +/- 10 events.

Thanks

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-12-2023 09:29 AM

Obviously, the key is getting the eval correct - you could try searchmatch

| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as post_java by java
| reverse
| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as pre_java by java
| where pre_java <= 10 OR post_java <= 10
| reverse
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...