How do you pull data from a previous event?

muzicman61 · ‎01-08-2019

So here is what my Splunk data looks like... these 4 events are consistently sequential.

›  1/7/19 1:02:11.211 PM    2019-01-07 14:02:11.211|Testing rule - Result:True
host = WTSXXXXX  sourcetype = VHT:HPIQ:VHT_QueueMonitorService 

›  1/7/19 1:02:11.208 PM    2019-01-07 14:02:11.208|Testing rule - Condition:   (FifoCallBacks <= 1) && (OpMode == QSPEAK) 
host = WTSXXXXX  sourcetype = VHT:HPIQ:VHT_QueueMonitorService 

›  1/7/19 1:02:11.208 PM    2019-01-07 14:02:11.208|Testing rule - Description: VHT_Test Rule
host = WTSFCCMY  sourcetype = VHT:HPIQ:VHT_QueueMonitorService 

›  1/7/19 1:02:11.208 PM    2019-01-07 14:02:11.208|rule:  VHT_Test
host = WTSXXXXX  sourcetype = VHT:HPIQ:VHT_QueueMonitorService

Once I find an event with ( results:True) then I need the pull the rule name in the last event (VHT_Test)

So to clarify, when I find "result:True" I need to pull the rule name from the event 3 events prior.

Really lost on how to do this.

Thanks!

skoelpin · ‎01-08-2019

Use streamstats window=1 to grab from the nearest "neighbor"

https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Streamstats

How do you pull data from a previous event?

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

How do you pull data from a previous event?

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience