- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to get all events between two events?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get all events between two events?
I have the following events.I am trying to get all the events between START and END of a job (inclusive).For instance the below job 51060 has 3 events in between...I am trying to a transaction command but I dont get the events in between.I only get the start and end event
| transaction startswith="START" endswith="END"
2022-10-21T23:26:14.075003-07:00 xyz slurm-epilog: END user=svc job=51060
2022-10-21T20:15:16.914838-07:00 xyz kernel: [52023.042550] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:13:46.890841-07:00 xyz kernel: [51933.011964] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:12:16.866833-07:00 xyz kernel: [51842.981401] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T19:17:25.710875-07:00 xyz slurm-prolog: START user=svc job=51060
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rex "\:\s(?<event_type>END|START)\s"
| transaction startswith=(event_type="START") endswith=(event_type="END")- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Doesnt give what I need...it just gives start and end events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transaction will give you an output of unique values for each field -- are you sure you're only seeing start and end events?
Try this as a test:
<base_search>
| rex "\:\s(?<event_type>END|START)\s"
| eval events="[".event_time."] : "._raw
| transaction startswith=(event_type="START") endswith=(event_type="END")
| table events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I only see two events per transaction which has start and end but dont see any events like below
2022-10-21T20:15:16.914838-07:00 xyz kernel: [52023.042550] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:13:46.890841-07:00 xyz kernel: [51933.011964] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:12:16.866833-07:00 xyz kernel: [51842.981401] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any identifier that can tie the 3 middle events together with the start or end event or are you looking for all events between start and end?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont have specific identifier to match it...But I am looking get all the events between them and then a calculation on them
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
