Splunk Search

How to filter my search results to only return events where a certain message occurred within 5 seconds of each other?

New Member

This can't be answered by limiting the time range searched.

Repro:
- I set my search terms and date range.
- I get back plenty of results, but
- I need to limit results only to times where a certain message is logged with 5 or so seconds of another

example
04-15-16 05:15:00 - neededMessage
04-17-16 22:00:15 - neededMessage
04-17-16 22:04:01 - neededMessage

04-19-16 04:02:33 - neededMessage

So there are results, but I only want results returned that are within a few seconds of each other, like rows 2 and 3 above.

Tags (3)
0 Karma

Contributor

Transaction is your friend.

| transaction startswith=neededMessage1 endswith=neededmessage2 | where duration <=5
0 Karma

SplunkTrust
SplunkTrust

Throw in the maxspan=5s OR 5m in transaction command to further limit the number of transactions.

0 Karma