Re: How do you pull data from a previous event?

muzicman61 · ‎01-08-2019

So here is what my Splunk data looks like... these 4 events are consistently sequential.

›  1/7/19 1:02:11.211 PM    2019-01-07 14:02:11.211|Testing rule - Result:True
host = WTSXXXXX  sourcetype = VHT:HPIQ:VHT_QueueMonitorService 

›  1/7/19 1:02:11.208 PM    2019-01-07 14:02:11.208|Testing rule - Condition:   (FifoCallBacks <= 1) && (OpMode == QSPEAK) 
host = WTSXXXXX  sourcetype = VHT:HPIQ:VHT_QueueMonitorService 

›  1/7/19 1:02:11.208 PM    2019-01-07 14:02:11.208|Testing rule - Description: VHT_Test Rule
host = WTSFCCMY  sourcetype = VHT:HPIQ:VHT_QueueMonitorService 

›  1/7/19 1:02:11.208 PM    2019-01-07 14:02:11.208|rule:  VHT_Test
host = WTSXXXXX  sourcetype = VHT:HPIQ:VHT_QueueMonitorService

Once I find an event with ( results:True) then I need the pull the rule name in the last event (VHT_Test)

So to clarify, when I find "result:True" I need to pull the rule name from the event 3 events prior.

Really lost on how to do this.

Thanks!

skoelpin · ‎01-08-2019

Use streamstats window=1 to grab from the nearest "neighbor"

https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Streamstats

How do you pull data from a previous event?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation