How can I search not only filter messages also couple of messages around it?
For example I want to search acc=9045 and also events before and after in the event pipeline
index="abc" | search app_name="*my_app*" | ??
Here is a runanywhere example demonstrating a technique for finding events either side of acc 9045
| makeresults count=100
| streamstats count as row
| eval acc=9045 + random()%10
``` the lines above set up some dummy data ```
| eval flag=if(acc=9045,1,null()) ``` flag the events you are interested in ```
| streamstats count(flag) as after reset_before=acc=9045 ``` count the flags - all this really does is set field to zero until the first flag, and to one from the first flag ```
| streamstats sum(after) as after reset_before=acc=9045 ``` sum the previous ones to give a running count - reset count when the event you are interested in appears ```
| reverse ``` reverse the pipeline to count in the opposite direction ```
| streamstats count(flag) as before reset_before=acc=9045 ``` count the flags - all this really does is set field to zero until the first flag, and to one from the first flag ```
| streamstats sum(before) as before reset_before=acc=9045 ``` sum the previous ones to give a running count - reset count when the event you are interested in appears ```
| where before==1 OR before==2 OR after==2 ``` keep events either side of the events of interest ```
Hi
Maybe not what you are looking for, but one way to try to find events just before and after selected events is just search and select Time field. That opens on pop up where you can set some time values for next search. But remember that if you have some earliest/latest on cmd line then those override this settings.
r. Ismo
Can you please provide some example
You need to be more specific - when you say "around it", do you mean events before and after in the event pipeline?
You need to identify the events you are interested in, then count the events afterwards with streamstats; then reverse the events pipeline and count the events afterwards in that direction with streamstats. then filter by counts.
Yes I mean events before and after in the event pipeline