Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to include a few events from the log prior to the event that triggered the alert?

splunkIT
Splunk Employee
Splunk Employee
‎04-05-2017 03:55 PM

I would like to setup a scheduled alert which includes the event that triggers the alert, plus a few events prior the "main" event.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ruski88
Engager
‎04-05-2017 04:18 PM

I was able to make the search below work so that when the event that triggered the alert ran, it would gather the last 5 events prior to the alert event within the same index & source specified. 

<Root_Search> | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search <Root_Search> starttimeu=$marks$ endtimeu=$marke$ | head <number_of_events_to_go_back> | reverse"

EXAMPLE:

index=_internal source=*splunkd.log* component=SearchScheduler | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search index=_internal source=*splunkd.log* starttimeu=$marks$ endtimeu=$marke$ | head 6  | reverse

This will pull the last time splunk had seen an event from search:index=_internal source=splunkd.log component=SearchScheduler along with the last 5 events prior within "index=_internal source=splunkd.log"

View solution in original post

Reply
Solved! Jump to solution
Solution

Ruski88
Engager
‎04-05-2017 04:18 PM

I was able to make the search below work so that when the event that triggered the alert ran, it would gather the last 5 events prior to the alert event within the same index & source specified. 

<Root_Search> | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search <Root_Search> starttimeu=$marks$ endtimeu=$marke$ | head <number_of_events_to_go_back> | reverse"

EXAMPLE:

index=_internal source=*splunkd.log* component=SearchScheduler | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search index=_internal source=*splunkd.log* starttimeu=$marks$ endtimeu=$marke$ | head 6  | reverse

This will pull the last time splunk had seen an event from search:index=_internal source=splunkd.log component=SearchScheduler along with the last 5 events prior within "index=_internal source=splunkd.log"

Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...