Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to get all events between two events?

vrmandadi
Builder
‎10-26-2022 08:45 AM

I have the following events.I am trying to get all the events between START and END of a job (inclusive).For instance the below job 51060 has 3 events in between...I am trying to a transaction command but I dont get the events in between.I only get the start and end event

| transaction startswith="START" endswith="END"

2022-10-21T23:26:14.075003-07:00 xyz slurm-epilog: END user=svc job=51060
2022-10-21T20:15:16.914838-07:00 xyz kernel: [52023.042550] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:13:46.890841-07:00 xyz kernel: [51933.011964] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:12:16.866833-07:00 xyz kernel: [51842.981401] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T19:17:25.710875-07:00 xyz slurm-prolog: START user=svc job=51060

0 Karma
Reply

johnhuang
Motivator
‎10-26-2022 10:00 AM

 

| rex "\:\s(?<event_type>END|START)\s"
| transaction startswith=(event_type="START") endswith=(event_type="END")
0 Karma
Reply

vrmandadi
Builder
‎10-26-2022 11:04 AM

Doesnt give what I need...it just gives start and end events

0 Karma
Reply

johnhuang
Motivator
‎10-26-2022 11:18 AM

Transaction will give you an output of unique values for each field -- are you sure you're only seeing start and end events?

Try this as a test:

<base_search>
| rex "\:\s(?<event_type>END|START)\s"
| eval events="[".event_time."] : "._raw
| transaction startswith=(event_type="START") endswith=(event_type="END")
| table events

 

0 Karma
Reply

vrmandadi
Builder
‎10-26-2022 11:21 AM

Yes I only see two events per transaction which has start and end but dont see any events like below

2022-10-21T20:15:16.914838-07:00 xyz kernel: [52023.042550NVRM: Xid (PCI:): 119pid=16378name=cache_mgr_mainTimeout waiting for RPC from GSPExpected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:13:46.890841-07:00 xyz kernel: [51933.011964NVRM: Xid (PCI:): 119pid=16378name=cache_mgr_mainTimeout waiting for RPC from GSPExpected function 76 (GSP_RM_CONTROL) (0x20808513 0x598).
2022-10-21T20:12:16.866833-07:00 xyz kernel: [51842.981401NVRM: Xid (PCI:): 119pid=16378name=cache_mgr_main,

0 Karma
Reply

johnhuang
Motivator
‎10-26-2022 09:33 AM

Is there any identifier that can tie the 3 middle events together with the start or end event or are you looking for all events between start and end?

0 Karma
Reply

vrmandadi
Builder
‎10-26-2022 09:50 AM

I dont have specific identifier to match it...But I am looking get all the events between them and then a calculation on them

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...