I have a dashboard that identifies Windows hard shut downs (event code=41). However, we want to see the windows events leading up to the hard shut down.
For example, my results table says I had a hard shut down on host .111 at 1:30PM. How can I pipe this to more logic that will show me windows events from 1:20PM to 1:30PM (in order to provide clues about what led up to the hard shut down)? I prefer not to do this manually but to actually have a query dynamically retrieve those "lead up" events.
YOu can try something like this
index=YourIndex sourcetype=YourSourcetype [ search index=YourIndex sourcetype=YourSourcetype event_code=41 | eval earliest=relative_time(_time,"-10m@m") | eval latest=_time | return earliest, latest] | rest of search
I like your answer because it clarifies something I struggled with in the MArtin's -- the map command in the quotes section - "search for lead-up events earliest=$starttime latest=$endtime$" was unclear to me, whereas your example demonstrates a standard spl search structure referencing an index and a sourcetype.
You can use
map like this:
search for event code 41 | localize timebefore=10m | map search="search for lead-up events earliest=$starttime$ latest=$endtime$"
localize takes events from the first search and converts them into timeranges, going back 10 minutes.
map takes these timeranges and runs new searches based on the ranges.