Splunk Search

How do I get more context around my search result while searching in splunk?

Path Finder

Suppose my log indexed in splunk looks like:

1
...
50 abracadabra
...

Now, I do a search for abracadabra. splunk will show me 1 event i.e. line number 50.

How I see the lines before and after line 50 to get more context. Can I 'jump' to line 50 like we can jump to any line in vim.

Thank you.

0 Karma

Esteemed Legend

BEWARE! Read the warnings on the map command in the documentation (it can be as all-consuming of resources as real-time searches are). This answer assumes that you literally meant what you wrote: that all these events are in the same file. Assuming that you have 1 event/line (almost certainly true), you can do something like this:

index=alwaysUseAnIndexValue sourcetype=alwaysUseSourcetypeValuesToo abracadabra
| eval serial=_serial
| map search="search index=$index$ sourcetype=$sourcetype$ source=$source$ | eval serial=$serial$"

This gives you ALL lines, so you will have to do a bit more work after that, but this is the main/hard part.

0 Karma

Esteemed Legend

BEWARE! Read the warnings on the map command in the documentation (it can be as all-consuming of resources as real-time searches are). You can do something similar like this:

index=alwaysUseAnIndexValue sourcetype=alwaysUseSourcetypeValuesToo abracadabra
| eval earliest=_time - 1
| eval lastet = _time + 1
| eval serial=_serial
| map search="search index=$index$ sourcetype=$sourcetype$ earliest=$earliest$ latest=$latest$ | eval serial=$serial$"

This will give you 1 second of events before, everything in the same second, and 1 second of events after, and an indication of which source event ( serial ) against which the events match.

Path Finder

This is how I would approach this as well.

Path Finder

grep command in linux has -A and -B arguments for this. So, I was wondering if splunk has something similar.

0 Karma

Revered Legend

So all these lines are coming to splunk as separate events (each line is event)? If your search returns less events and you want to check surrounding events, you can use Event Actions-> Show source. You can also use methods describe in below links to look for neighboring events.

https://answers.splunk.com/answers/150509/how-to-get-events-around-identified-event.html

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!