Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get all events between two events?

vrmandadi
Builder
‎10-26-2022 08:45 AM

I have the following events.I am trying to get all the events between START and END of a job (inclusive).For instance the below job 51060 has 3 events in between...I am trying to a transaction command but I dont get the events in between.I only get the start and end event

| transaction startswith="START" endswith="END"

2022-10-21T23:26:14.075003-07:00 xyz slurm-epilog: END user=svc job=51060
2022-10-21T20:15:16.914838-07:00 xyz kernel: [52023.042550] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:13:46.890841-07:00 xyz kernel: [51933.011964] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:12:16.866833-07:00 xyz kernel: [51842.981401] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T19:17:25.710875-07:00 xyz slurm-prolog: START user=svc job=51060

0 Karma
Reply

johnhuang
Motivator
‎10-26-2022 10:00 AM

 

| rex "\:\s(?<event_type>END|START)\s"
| transaction startswith=(event_type="START") endswith=(event_type="END")
0 Karma
Reply

vrmandadi
Builder
‎10-26-2022 11:04 AM

Doesnt give what I need...it just gives start and end events

0 Karma
Reply

johnhuang
Motivator
‎10-26-2022 11:18 AM

Transaction will give you an output of unique values for each field -- are you sure you're only seeing start and end events?

Try this as a test:

<base_search>
| rex "\:\s(?<event_type>END|START)\s"
| eval events="[".event_time."] : "._raw
| transaction startswith=(event_type="START") endswith=(event_type="END")
| table events

 

0 Karma
Reply

vrmandadi
Builder
‎10-26-2022 11:21 AM

Yes I only see two events per transaction which has start and end but dont see any events like below

2022-10-21T20:15:16.914838-07:00 xyz kernel: [52023.042550NVRM: Xid (PCI:): 119pid=16378name=cache_mgr_mainTimeout waiting for RPC from GSPExpected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:13:46.890841-07:00 xyz kernel: [51933.011964NVRM: Xid (PCI:): 119pid=16378name=cache_mgr_mainTimeout waiting for RPC from GSPExpected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:12:16.866833-07:00 xyz kernel: [51842.981401NVRM: Xid (PCI:): 119pid=16378name=cache_mgr_main,

0 Karma
Reply

johnhuang
Motivator
‎10-26-2022 09:33 AM

Is there any identifier that can tie the 3 middle events together with the start or end event or are you looking for all events between start and end?

0 Karma
Reply

vrmandadi
Builder
‎10-26-2022 09:50 AM

I dont have specific identifier to match it...But I am looking get all the events between them and then a calculation on them

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...