Splunk Search

How to include a few events from the log prior to the event that triggered the alert?

splunkIT
Splunk Employee
Splunk Employee

I would like to setup a scheduled alert which includes the event that triggers the alert, plus a few events prior the "main" event.

Tags (1)
0 Karma
1 Solution

Ruski88
Engager

I was able to make the search below work so that when the event that triggered the alert ran, it would gather the last 5 events prior to the alert event within the same index & source specified.

<Root_Search> | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search <Root_Search> starttimeu=$marks$ endtimeu=$marke$ | head <number_of_events_to_go_back> | reverse"

EXAMPLE:

index=_internal source=*splunkd.log* component=SearchScheduler | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search index=_internal source=*splunkd.log* starttimeu=$marks$ endtimeu=$marke$ | head 6  | reverse

This will pull the last time splunk had seen an event from search:index=_internal source=splunkd.log component=SearchScheduler along with the last 5 events prior within "index=_internal source=splunkd.log"

View solution in original post

Ruski88
Engager

I was able to make the search below work so that when the event that triggered the alert ran, it would gather the last 5 events prior to the alert event within the same index & source specified.

<Root_Search> | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search <Root_Search> starttimeu=$marks$ endtimeu=$marke$ | head <number_of_events_to_go_back> | reverse"

EXAMPLE:

index=_internal source=*splunkd.log* component=SearchScheduler | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search index=_internal source=*splunkd.log* starttimeu=$marks$ endtimeu=$marke$ | head 6  | reverse

This will pull the last time splunk had seen an event from search:index=_internal source=splunkd.log component=SearchScheduler along with the last 5 events prior within "index=_internal source=splunkd.log"

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...